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Abstract:  Ontic  is  an  interactive  system  for  developing  and  verifying  math¬ 
ematics.  Ontic’s  verification  mechanism  is  capable  of  automatically  finding 
and  applying  information  from  a  library  containing  hundreds  of  mathemati¬ 
cal  facts.  Starting  with  only  the  axioms  of  Zermelo-Fraenkel  set  theory,  the 
Ontic  system  has  been  used  to  build  a  data  base  of  definitions  and  lemmas 
leading  to  a  proof  of  the  Stone  representation  theorem  for  Boolean  lattices. 
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Chapter  1 


Ontic  in  Brief 


Ontic  is  a  computer  system  for  verifying  mathematical  arguments.  Starting 
with  the  axioms  of  Zermelo-Fraenkel  set  theory,  including  Zorn’s  lemma  a? 
a  version  of  the  axiom  of  choice,  the  Ontic  system  has  been  used  to  to  define 
concepts  involving  partial  orders  and  lattices  and  to  verify  a  proof  of  the 
Stone  representation  theorem  for  Boolean  lattices.  This  theorem  involves  an 
ultrafilter  construction  and  is  similar  in  complexity  to  the  Tychonoff  theorem 
in  topology  which  states  that  an  arbitrary  product  of  compact  spaces  is 
compact.  The  individual  steps  in  the  proof  were  verified  with  an  automated 
theorem  prover.  The  Ontic  theorem  prover  automatically  accesses  a  lemma 
library  containing  hundreds  of  mathematical  facts;  as  more  facts  are  added 
to  the  system’s  lemma  library  the  system  becomes  capable  of  verifying  larger 
inference  steps. 

The  Ontic  theorem  prover  is  based  on  what  I  call  object-oriented  in¬ 
ference.  Object-oriented  inference  is  a  forward  chaining  inference  process 
applied  to  a  large  lemma  library  and  guided  by  a  set  of  focus  objects.  The 
focus  objects  are  terms  in  the  sense  of  first  order  predicate  calculus:  they 
are  expressions  which  denote  objects.  It  is  well  known  that  unrestricted  for¬ 
ward  chaining  starting  with  a  large  lemma  library  leads  to  an  immediate 
combinatorial  explosion.  However,  the  Ontic  theorem  prover  is  guided  by 
the  focus  objects;  the  inference  process  is  restricted  to  statements  that  are, 
in  a  technical  sense,  about  the  focus  objects.  Thus  the  inference  process 
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is  "object-oriented*  In  verifying  an  argument  the  user  specifies  the  set  of 
focus  objects.  For  example  the  user  may  tell  the  system  to  consider  an  ar¬ 
bitrary  lattice  L  an  arbitrary  subset  S  of  X,  and  an  arbitrary  member  x 
of  S.  Ontic’s  inference  mechanisms  are  restricted  to  a  finite  set  of  formulas 
that  are  about  the  given  focus  objects.  Certain  forward  chaining  constraint 
propagation  techniques  can  be  effectively  applied  to  this  finite  set  of  formu¬ 
las.  Natural  language  mathematical  arguments,  like  those  found  in  textbooks 
and  journals,  appear  to  be  object-oriented  in  the  sense  tiiat  they  instruct  the 
reader  to  focus  on  certain  objects.  Thus  Ontic’s  object-oriented  inference 
mechanisms  seem  well  suited  for  verifying  natural  arguments. 

There  are  two  motivations  for  building  a  system  for  verifying  natural 
arguments.  First  there  is  an  engineering  motive:  a  sufficiently  powerful  me¬ 
chanical  verifier  could  have  a  variety  of  important  practical  applications, 
such  as  ensuring  the  correctness  of  mathematics,  arguments,  the  correctness 
of  software  systems,  and  the  correctness  of  engineered  devices  in  general.  Sec¬ 
ond,  the  construction  of  a  verification  system  for  natural  arguments  can  be 
motivated  in  terms  of  cognitive  psychology.  A  verification  system  for  natural 
arguments  provides  a  computational  model  of  the  human  cognitive  processes 
involved  in  verifying  arguments.  The  plausibility  of  such  cognitive  model 
can  be  judged  by  comparing  the  length  and  structure  of  the  arguments  ac¬ 
ceptable  to  people  with  the  length  and  structure  of  arguments  acceptable  to 
the  cognitive  model. 

The  engineering  mo.>e  and  the  cognitive  model  motive  for  building  ver¬ 
ification  systems  are  rot  independent;  a  verification  system  that  is  a  good 
cognitive  model  is  likely  to  be  pragmatically  useful.  More  specifically,  a 
verification  system  is  a  good  cognitive  model  to  the  extent  that  arguments 
acceptable  to  the  model  are  similar  to  the  arguments  acceptable  to  people. 
Thus  if  a  verification  system  is  a  good  cognitive  model  then  it  should  be  easy 
to  convert  arguments  that  are  acceptable  to  people  to  arguments  that  can 
be  verified  by  the  system;  a  system  that  is  a  good  cognitive  n.  lei  provides 
a  good  “impedance  match”  between  the  human  user  and  the  verification 
system. 

On  the  other  band  the  two  motivations  for  verificati  us  system,  the  en¬ 
gineering  motive  and  the  cognitive  model  motive,  are  di  Terent  motivations 
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with  different  criteria  for  success.  A  verification  system  that  exhibits  clearly 
superhuman  performance  in  its  ability  to  verify  statements  is  a  bad  cogni¬ 
tive  model  but  a  good  verifier  from  an  engineering  point  of  view.  It  turns 
out  that  Ontic’s  mechanism  for  reasoning  about  equality,  congruence  closure, 
leads  to  some  clear  examples  of  superhuman  performance  on  the  part  of  the 
Ontic  system.  Thus  congruence  closure  is  not  a  good  cognitive  model  for  the 
way  people  reason  about  equality — there  are  equality  reasoning  mechanisms 
which  are  weaker  than  congruence  closure  which  provide  better  cognitive 
models.  However,  from  an  engineering  point  of  view  congruence  closure  is 
better  than  the  weaker  mechanism  (at  least  on  serial  machines).  The  anal¬ 
ysis  of  congruence  closure  as  a  bad  cognitive  model  is  presented  in  detail  in 
chapter  3. 

The  Ontic  system  was  designed  with  both  motivations  in  mind — an  at¬ 
tempt  was  made  to  make  the  system  a  pragmatically  effective  verification 
system  and  the  same  time  to  make  the  system  a  rough  model  of  human  math¬ 
ematical  cognition.  The  Ontic  system  should  be  judged  on  two  independent 
grounds  relative  to  these  two  goals.  First,  one  can  evaluate  the  system  as 
an  engineered  device  for  verifying  proofs  by  attempting  to  use  the  system 
for  that  purpose.  Second,  one  can  attempt  to  evaluate  the  system  as  a  cog¬ 
nitive  model  by  judging  the  similarity  between  natural  language  arguments 
acceptable  to  people  and  formal  arguments  acceptable  to  the  system. 

The  remainder  of  this  chapter  is  divided  into  four  sections.  The  first 
section  briefly  discusses  the  nature  of  natural  language  mathematical  argu¬ 
ments.  The  second  section  of  the  chapter  discusses  the  formal  language  used 
in  the  Ontic  system.  The  third  section  describes  the  user-level  interface  to  the 
system  and  gives  several  examples  of  arguments  verified  by  the  system.  The 
fourth  section  describes  the  object-oriented  inference  mechanisms  in  more 
detail. 

The  relationship  between  Gntic  and  previous  work  in  reasoning,  knowl¬ 
edge  representation,  and  theorem  proving  is  discussed  in  detail  in  chapter  2. 
Chapter  3  presents  an  analysis  of  the  Ontic  system  as  a  cognitive  model  giv¬ 
ing  examples  of  both  superhuman  and  subhuman  performance  on  the  part  of 
the  Ontic  system.  Chapters  4  and  5  give  a  mathematically  precise  account  of 
the  inference  mechanisms  as  marker  propagation  algorithms  on  certain  kinds 
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of  graph  structure.  Chapter  6  gives  a  mathematically  precise  definition  of  the 
Ontic  formal  language  and  chapter  7  gives  a  mathematically  precise  account 
of  the  compilation  process  by  which  expressions  in  the  formed  language  are 
converted  into  graph  structure.  Chapter  8  lists  some  potential  applications 
of  automated  inference  systems  such  as  Ontic  and  chapter  9  summarizes  the 
main  features  of  the  Ontic  system. 


1.1  The  Nature  of  Natural  Arguments 


By  a  “natural  mathematical  argument”  I  mean  a  proof  written  in  a  natural 
language,  such  as  English,  that  would  be  acceptable  as  a  fully  worked  out 
proof  in  a  textbook  or  journal  article.  A  natural  mathematical  argument 
consists  of  a  sequence  of  natural  language  statements  and  the  human  reader 
is  expected  to  use  his  or  her  knowledge  and  intelligence  to  see  that  each  step 
clearly  and  necessarily  follows  from  the  previous  steps.  As  an  example  of  a 
natural  argument  consider  the  following  proof  that  the  square  root  of  2  is 
irrational. 


Suppose  that  the  square  root  of  two  were  rational,  i.e. 


The  squares  p 2  and  q2  must  each  have  an  even  number  of  prime 
factors.  Thus,  if  p2/q2  is  an  integer  then  this  integer  must  also 
have  an  even  number  of  prime  factors.  But  2  has  only  a  single 
prime  factor  so  p2/q 2  cannot  equal  2. 


This  argument  is  perfectly  rigorous;  every  step  clearly  follows  from  the 
previous  steps  and  the  conclusion  is  clearly  established;  y/2  must  be  irra¬ 
tional.  However,  understanding  this  argument  requires  knowing  certain  facts 
about  arithmetic  and  multisets.  More  specifically  the  above  argument  im¬ 
plicitly  rests  on  the  following  facts: 


1.1. 


THE  MATURE  OF  NATURAL  ARGUMENTS 
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1.  The  fundamental  theorem  of  arithmetic  —  every  natural  number  has 
a  unique  multiset  of  prime  factors. 

2.  The  multiset  of  factors  of  p 2  is  the  multiset  union  of  the  prime  factors 
of  p  with  itself. 

3.  The  multiset  union  of  a  multiset  with  itself  has  an  even  number  of 
members  (an  even  multiset  cardinality). 

4.  If  p/q  is  an  integer  then  the  multiset  of  prime  factors  of  q  must  be  a 
subset  of  the  multiset  of  prime  factors  of  p. 

5.  If  p/q  is  ar.  integer  then  the  multiset  of  prime  factors  of  p/q  is  the 
multiset  difference  of  the  prime  factors  of  p  and  the  prime  factors  of  q. 

6.  If  the  multisets  mi  and  m2  both  have  an  even  number  of  members  and 
m2  is  a  subset  of  mi  then  the  multiset  difference  of  mx  and  m2  has  an 
even  number  of  members. 


The  fundamental  theorem  of  arithmetic  is  a  deep  theorem  involving  sev¬ 
eral  induction  proofs.  It  seems  quite  likely  that  people  have  simply  memo¬ 
rized  this  fact  and  use  it  freely.  The  other  facts  in  the  above  list  have  simpler 
proofs  (given  the  fundamental  theorem  of  arithmetic).  However,  an  explicit 
proof  of  any  one  of  the  above  facts  would  be  at  least  as  long  as  the  above 
proof  that  the  square  root  of  2  is  irrational.  Furthermore,  each  of  the  above 
facts  seems  to  be  generally  useful  and  thus  it  seems  likely,  or  at  least  plau¬ 
sible,  that  people  have  memorized  each  of  the  above  facts  in  addition  to  the 
fundamental  theorem  of  arithmetic.  People  seem  capable  of  using  facts,  such 
as  the  fundamental  theorem,  unconsciously;  when  reading  the  above  natural 
argument  one  is  not  consciously  aware  of  using  the  fundamental  theorem  of 
arithmetic.  The  above  example  suggests  that  people  verify  mathematical  ar¬ 
guments  by  using  knowledge  they  already  have  about  the  concepts  involved 
and  by  applying  that  knowledge  unconsciously  in  verifying  the  steps  of  the 
argument. 
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1.2  Ontic  as  a  Formal  Language 


The  Ontic  system  cannot  read  natural  language — before  an  argument  can 
be  verified  it  must  be  translated  into  a  machine  readable  form.  The  Ontic 
system  manipulates  formulas  in  the  formal  language  called  Ontic.  The  Ontic 
language  is  a  syntactic  sugar  for  first  order  set  theory.  The  design  of  this 
syntactic  sugar  was  driven  by  two  motivations.  First,  the  langvage  is  designed 
to  be  as  similar  as  possible  to  natural  language  while  still  being  simple  and 
mathematically  precise.  Most  atomic  formulas  in  the  Ontic  language  consists 
of  a  subject  “noun  phrase”  and  a  predicate  “verb  phrase”.  In  addition  to 
being  similar  to  natural  language,  the  syntactic  structure  of  the  Ontic  formal 
language  facilitates  the  object-oriented  inference  mechanisms  used  in  the 
system.  Object-oriented  inference  is  guided  by  a  set  of  focus  objects.  The 
inference  mechanisms  “type”  the  focus  objects — the  system  assigns  a  set  of 
types  to  each  focus  object.  In  the  Ontic  system  a  type  is  any  predicate  of  one 
argument;  the  types  assigned  to  a  focus  object  are  predicates  that  are  known 
to  be  true  of  that  object.  The  syntax  of  the  Ontic  language  is  designed  to 
facilitate  this  typing  process;  most  atomic  formulas  state  that  a  particular 
type  applies  to  a  particular  object. 

In  the  Ontic  language  there  is  no  distinction  between  types,  classes,  sorts, 
and  predicates  of  one  argument.  For  an  object  x  and  type  r  the  phrases  “r 
contains  x”,  “x  is  an  instance  of  r”  and  “r  is  true  of  x”  all  mean  the  same 
thing.  The  word  type  is  used,  as  opposed  to  the  word  class  or  predicate, 
because  Ontic  types  are  used  in  much  the  same  way  that  types  are  used 
in  computer  programming  languages;  functions  in  the  formal  language  can 
only  be  applied  to  arguments  of  the  appropriate  type  and  thus  there  is  a 
distinction  between  “well-typed”  and  “ill-formed”  expressions.  For  example, 
consider  a  function  TOPOLOGICAL-CLOSURE  such  that  if  X  is  a  topological 
space  and  A  is  a  subset  of  X  then 

(TOPOLOGICAL-CLOSURE  A  X) 

denotes  the  topological  closure  of  A  as  a  subset  of  X.  An  application  of  the 
operator  TOPOLOGICAL-CLOSURE  is  well  typed  just  in  case  its  second  argument 
denotes  a  topological  space  and  its  first  argument  denotes  a  subset  of  that 
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space.  The  above  expression  is  well  typed  but  the  expression 

(TOPOLOGICAL-CLOSURE  X  A) 


that  results  from  reversing  the  arguments  is  net  well  typed  because  A  is  not 
a  topological  space  and  X  need  not  be  a  subset  of  A. 


Rather  than  give  a  rigorous  syntax  and  semantics  for  the  Ontic  language, 
this  section  discusses  the  language  informally  and  largely  by  example.  A  more 
rigorous  treatment  is  presented  in  chapter  6.  Every  expression  of  the  Ontic 
language  belongs  to  exactly  one  of  five  syntactic  categories;  an  expression 
is  either  a  term,  a  formula,  a  function  expression,  a  type  expression,  or  a 
type  generator  expression.  Terms  are  expressions  that  denote  objects.1 2  A 
formula  is  an  expression  which  denotes  one  of  the  Boolean  truth  values  true 
or  false ?  A  function  expression  denotes  a  mapping  from  objects  to  objects. 
Each  function  expression  takes  a  fixed  number  of  arguments  and  returns  an 
object.3  Type  expressions  are  predicates  of  one  argument.4  A  type  generator 
expressiou  denotes  a  mapping  from  objects  to  types.  Each  type  generator 
expression  takes  a  fixed  number  of  arguments  and  returns  a  type.5 


1.2.1  Types 


Figure  1.1  lists  some  type  expressions.  The  first  five  type  expressions  in  figure 
1.1  are  type  symbols.  The  types  THING  and  SET  are  primitive  type  symbols 
in  the  Ontic  system.  The  Ontic  system  allows  for  the  possibility  that  there 
are  instances  of  the  universal  type  THING,  such  as  symbols,  which  are  not  in¬ 
stances  of  the  type  SET.  Each  of  the  types  GROUP,  TOPOLOGICAL-SPACE,  and 
RIEMANNI AN-MANIFOLD  can  be  defined  in  terms  of  more  primitive  concepts. 


1A  term  is  an  expression  of  kind  OBJECT.  It  is  consistent  with  axioms  of  the  logic  to 
assume  that  all  objects  are  actually  sets  in  a  standard  model  of  ZFC  set  theory.  However, 
it  is  more  natural,  and  equally  consistent,  to  assume  that  there  exist  objects  which  are 
not  sets. 

2  A  formula  is  an  expression  of  kind  BQOLEAH. 

3Function  expressions  have  kind  OBJECT  x  OBJECT  x  •  ••  x  OBJECT  — *  OBJECT. 

4Type  expressions  have  kind  OBJECT  — »  B00LEAI. 

5Type  generator  expressions  have  kind  OBJECT  x  OBJECT  x  •  ■  ■  x  OBJECT  — *  TYPE. 
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THING,  SET,  GROUP,  TOPOLOGICAL-SPACE,  RIEMANNI AN-MANIFOLD 
(MEMBER-OF  s) ,  (LOWER-BOUND-OF  a  p ) 

(LAMBDA  ((z  r))  $(x)) 

(EITHER  x  y) 

(AND-TYPE  T\  r2) 

(OR-TYPE  r,  r2) 


Figure  1.1:  Ontic  Type  Expressions 

The  next  two  type  expressions  are  types  that  result  from  applying  type  gen¬ 
erators  to  arguments.  If  a  term  s  denotes  a  set  then  (MEMBER-OF  s)  is  a  type 
expression  such  that  an  object  is  an  instance  of  the  type  (MEMBER-OF  s)  just 
in  case  it  is  a  member  of  the  set  s.6  Instances  of  the  type 

(LOWER-BOUND-OF  3  p ) 

are  mem'  >rs  of  the  partially  ordered  set  p  which  are  lower  bounds  of  the 
subset  s  of  p.  One  place  lambda  predicates  are  also  type  expressions.  The 
instances  of  the  type 

(LAMBDA  ((z  r))  $(z)) 

consist  of  exactly  those  instances  x  of  the  type  r  which  satisfy  the  formula 
$(x).  The  type  (EITHER  X  Y)  contains  only  the  instances  X  and  Y.  The  type 
(AND-TYPE  T\  r2)  contains  exactly  those  objects  which  are  instances  of  both 
the  types  and  r2.  The  type  (OR-TYPE  t\  t2)  contains  exactly  those  things 
which  are  instances  of  either  of  the  types  rj  or  t2. 


1.2.2  Terms 

Figure  1.2  gives  some  Ontic  terras.  There  are  several  ways  of  constructing 
terms  in  Ontic.  The  application  of  a  function  to  arguments  is  a  term.  If  r 

6The  term  a  denotes  an  object  while  the  expression  (HEHBER-OF  s)  denotes  a  type;  no 
expression  is  allowed  to  be  both  a  term  and  a  type. 
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(  fun  ix  X2  . . . ) 
(THE-EET-OF-ALL  r) 
(THE  RULE  fun) 
(THE  r) 

'  symbol 


Figure  1.2:  Ontic  Terms 

is  a  “small”  type  expression  then  the  expression  (THE-SET-OF-aLL  r)  is  a 
term  which  denotes  the  set  of  all  instances  of  r.  The  process  of  converting  a 
type  to  a  set  is  called  reification  and  sets  of  the  form 

(THE-SET-OF-ALL  r) 

aie  often  called  reified  types.  It  is  important  to  remember  that  there  is  a 
syntactic  distinction  between  terms  (which  denote  objects)  and  type  expres¬ 
sions  (which  denote  predicates).  There  <ire  types,  such  as  the  type  THING, 
which  can  not  be  converted  to  sets — there  is  no  set  of  all  things.  Most  of  the 
axioms  of  Zermelo-  Fraenkel  set  theory  state  that  certain  sets  exist.  One  can 
view  these  axioms  as  saying  that  certain  types  can  be  converted  to  sets.  In 
the  Ontic  system  these  axioms  of  set  theory  are  incorporated  into  the  notion 
of  a  syntactically  small  type  expression;  the  operator  THE-SET-OF-ALL  can 
only  be  applied  to  syntactically  small  type  expressions.  The  notion  of  a  syn¬ 
tactically  small  type  expression,  and  the  relation  between  this  notion  and  the 
axioms  of  set  theory,  are  discussed  in  more  detail  in  chapter  6,  section  6.1. 

If  fun  is  a  function  of  one  argument  then  the  term  (THE-RULE  fun )  de¬ 
notes  the  “rule”  that  corresponds  to  the  function.  The  relationship  between 
functions  and  rules  is  analogous  to  the  relationship  between  types  and  sets — 
the  expression  (THE-RULE  fun)  is  a  term  and  denotes  an  object  while  fun 
is  a  function  expression.  Expressions  of  the  form  (THE-RULE  fun)  are  often 
referred  to  as  reified  functions.  There  exist  functions  which  can  not  be  reified 
as  rules,  e.g  any  function  defined  on  all  sets,  such  as  the  function  that  maps 
an  arbitrary  set  to  its  power  set,  is  too  big  to  be  reified  as  a  rule. 
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If  r  is  a  type  with  exactly  one  instance  then  the  expression  (THE  r)  is  a 
term  which  denotes  the  single  object  contained  in  the  type.  For  example,  if 

(PRIME-NUMBER-BETWEEN  n  m ) 

is  a  type  whose  instances  are  the  prime  numbers  between  n  and  m  then 

(THE  (PRIME-NUMBER-BETWEEN  20  25)) 
denotes  the  number  23. 

Expressions  of  the  form  ’  symbol  are  also  terms.  For  example  the  expres¬ 
sion  'F00  denotes  the  symbol  FOQ.  Quoted  symbols  denote  objects  which  are 
instances  of  the  type  SYMBOL.  The  Ontic  system  allows  for  the  possibility 
that  all  objects  are  sets,  i.e.  that  every  object  is  an  element  of  a  model  of 
Zermelo-  Fraenkel  set  theory.  However,  the  Ontic  system  also  allows  for  a 
more  natural  interpretation  under  which  rules  and  symbols  are  not  sets — the 
types  SET,  RULE,  and  SYMBOL  can  be  assumed  to  be  disjoint. 


1 .2.3  Formulas 

Figure  1.3  gives  some  Ontic  formulas.  The  formula  (IS  x  r)  is  true  just  in 
case  x  denotes  an  instance  of  the  type  r.  Formulas  of  this  form  are  intuitively 
pleasing  because  they  seem  to  reflect  natural  language  syntax — x  is  a  subject 
“noun  phrase”  and  the  type  r  is  a  predicate  that  applies  to  the  subject.  The 
formula  (EXISTS-SOME  r)  is  true  just  in  case  there  exists  an  instance  of  r. 
The  formula 


(EXISTS  ((x!  n)  (x2  r2)  . . .)  #(*j,  x2,  ...)) 

is  true  just  in  case  there  exists  instances  aj,  a2  . . .  an  of  the  types  r1?  r2) . . .  r3 
respectively  such  that  such  that  $  is  true  when  the  variables  X\,  x2, . . .  xn  are 
interpreted  as  at ,  a2 . . .  a„  respectively.  The  formula 

(FORALL  ((xi  n)  (x2  r2)  . . .)  $(xi,  x2,  ...)) 

has  the  obvious  analogous  meaning.  The  formula  (EXACTLY-ONE  r)  is  true 
just  in  case  there  is  exactly  one  instance  of  the  type  r.  The  formula 

(IS-EVERY  tj  r2) 


WV  <  * 
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(IS  x  r) 

(EXISTS-SOME  r) 

(EXISTS  ((*!  n)  (x2  r2)  ...)  $(xj,  x2,  ...)) 
(FORALL  ((xx  rj)  (x2  t2)  . . .)  $(xi,  i2,  ...)) 
(EXACTLY-QNE  r) 

(IS-EVERY  Tx  r2) 

(NOT  $) 

(AND  $x  $2) 


Figure  1.3:  Ontic  Formulas 

is  true  just  in  case  every  instance  of  t2  is  an  instance  of  r2.  Of  course  Boolean 
combinations  of  formulas  are  also  formulas. 


1.2.4  Definitions 

Figure  1.4  gives  some  examples  of  definitions  of  functions  and  type  gener¬ 
ators.  Functions  are  defined  with  the  DEFTERM  construct  as  shown  in  the 
first  example.  In  the  first  example  the  function  POWER-SET  is  defined  to  be 
equivalent  to  the  lambda  function 

(LAMBDA  ((S  SET))  (THE-SET-OF-ALL  ("UBSET-OF  S))) 

Thus  the  function  POWER-SET  takes  one  argument  which  must  be  a  set  and 
returns  the  set  of  all  subsets  of  that  set.  Types  and  type  generators  are 
defined  with  the  DEFTYPE  construct.  The  second  definition  in  figure  1.4  de¬ 
fines  LOWER-BQUND-QF  to  be  a  type  generator  which  takes  two  arguments:  a 
set  s  and  a  poset  p  where  the  set  s  is  required  to  be  a  subset  of  the  set  of 
elements  of  p.  The  type  generator  LQWER-BOUND-OF  takes  these  arguments 
and  returns  a  type:  a  predicate  of  one  argument.  An  object  x  is  an  element 
of  the  type  (LOWER-BQUND-QF  s  p )  just  in  case  x  is  an  element  of  the  un¬ 
derlying  set  of  the  poset  p  and  every  member  of  the  set  s  is  greater  than  or 
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(DEFTZRM  (POWER-SET  (S  SET)) 

(THE-SET-OF-ALL  (SUBSET-QF  S))) 

(DEFTYPE  (LOWER-BOUND-OF 

(S  (SUBSET-OF  (U-SET  P))) 

(P  POSET)) 

(LAMBDA  ((X  (MEMBER-OF  (U-SET  P)))) 

(IS-EVERY  (MEMBER-OF  S) 

(GREATER-OR-EQUAL-TO  X  P)))) 

(DEFTYPE  (GREATEST-LOWER-BOUND-OF 

(S  (SUBSET-OF  (U-SET  P))) 

(P  POSET)) 

(LAMBDA  ((X  (LOWER-BOUND-OF  S  P))) 

(IS-EVERY  (LOWER-BOUND-OF  S  P) 

(LESS-OR-EQUAL-TO  X  P)))) 

(DEFTYPE  COMPLETE-LATTICE 
(LAMBDA  ((P  POSET)) 

(FORALL  ( (S  (SUBSET-OF  (U-SET  P)))) 

(EXISTS-SOME  (GREATEST-LOWER-BOUND-OF  S  P})))) 


i'igure  1.4:  Some  Ontic  Definitions 
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equal  to  x  under  the  ordering  imposed  by  the  poset  p.  The  type  generator 
GREATEST-LOWER-BOUND-OF  is  similar  to  LOWER-BOUND:  it  takes  a  set  a  and  a 
poset  p  where  s  is  a  subset  of  the  underlying  set  of  p  and  yields  a  type.  An 
object  x  is  an  element  of  the  type  (GREATEST-LOWER-BOUND-OF  s  p)  just  in 
case  x  is  a  lower  bound  of  s  in  the  poset  p  and  every  lower  bound  of  s  in  p 
is  greater  or  equai  to  r.  The  type  COMPLETE-LATTICE  is  defined  so  that  an 
object  p  is  of  type  COMPLETE-LATTICE  just  in  case  p  is  a  poset  such  that  for 
every  subset  s  of  the  underlying  set  of  p  there  exists  a  greatest  lower  bound 
of  s  under  the  ordering  imposed  by  p. 

The  type  restrictions  on  the  formal  parameters  of  functions  and  type 
generators  determine  a  distinction  between  well-typed  and  ill-formed  expres¬ 
sions.  The  Ontic  system  will  not  invoke  the  definition  of  a  function  or  type 
generator  unless  the  arguments  to  the  function  or  type  generator  have  been 
proven  to  be  of  the  correct  type;  the  Ontic  system  effectively  type-checks 
expressions  before  it  expands  definitions.  Given  the  expressive  power  of  the 
Ontic  type  system,  however,  one  can  easily  show  that  there  are  well-typed 
expressions  which  fail  to  type  check.  In  the  Ontic  system  type  checking  in¬ 
volves  theorem  proving  based  on  a  lemma  library.  Many  of  the  lemmas  of  the 
lemma  library  state  that  certain  objects  have  certain  types;  not  surprisingly, 
such  lemmas  play  an  important  role  in  determining  if  an  expression  is  well 
typed.  It  is  often  the  case  that  a  given  expression  fails  to  type  check  using 
one  lemma  library  but  succeeds  in  type  checking  given  a  stronger  lemma 
library. 


1.2.5  Summary 


In  addition  to  providing  a  distinction  between  well-typed  and  ill-formed  ex¬ 
pressions,  the  Ontic  type  vocabulary  seems  to  allow  for  concise  and  natural 
formal  statements.  For  example  the  IS-EVERY  phrase  constructor  allows  the 
concise  expression  of  statements  that  would  normally  require  explicit  quan¬ 
tification.  Similarly,  the  EX  I  STS -SOME  phrase  constructor  uses  the  type  vo¬ 
cabulary  to  make  concise  existential  statements.  Types  are  also  used  directly 
by  the  phrase  constructors  THE-SET-OF-ALL,  THE,  and  EXACTLY-ONE. 

The  definitions  in  figure  1.4  should  provide  an  indication  of  the  con- 
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ciseness  and  expressive  power  of  the  Ontic  language.  Jonathan  Rees  spent 
about  a  month  defining  various  mathematical  concepts  in  Ontic.  Starting 
with  only  the  fundamental  notions  described  above,  he  used  the  Ontic  lan¬ 
guage  to  formally  define  groups,  rings,  ideals  in  a  ring,  fields,  the  natural 
numbers,  the  real  numbers  (defined  both  as  a  totally  ordered  complete  field 
and  as  Dedekind  cuts),  topological  spaces,  continuous  functions,  homotopy 
of  maps  between  topological  spaces,  the  fundamental  group  of  a  topological 
space,  differentiable  functions  on  the  reals,  the  derivative  of  a  function,  the 
notion  of  a  category  and  products  and  limits  in  arbitrary  categories.  The  ease 
with  which  Rees  expressed  these  concepts  suggests  that  any  mathematical 
ccncept  can  be  readily  expressed  in  Ontic. 


1 .3  Examples  of  Verification 


Object-oriented  inference  operates  in  a  context.  A  context  consists  of  three 
things:  a  lemma  library,  a  set  of  focus  objects  and  set  of  suppositions  about 
the  focus  objects.  Figure  1.5  gives  a  block  diagram  of  the  object-oriented 
inference  mechanisms  used  in  the  Ontic  system.  The  inference  process  is 
forward  chaining;  it  draws  conclusions  from  the  lemma  library  without  being 
given  any  goal  formula.  It  is  well  known  that  unrestricted  forward  chaining 
from  a  large  lemma  library  leads  to  an  immediate  combinatorial  explosion 
—  vast  numbers  of  formulas  are  generated  where  each  formula  can  be  de¬ 
rived  from  the  given  lemmas  in  only  a  few  steps.  The  forward  chaining 
inference  mechanisms  used  in  the  Ontic  system,  however,  are  guided  by  the 
focus  objects.  The  focus  objects  are  Ontic  terms,  expressions  that  denote  ob¬ 
jects.  The  system  restricts  its  inference  process  to  formulas  that  are  in  some 
sense  “about”  the  focus  objects.  There  are  four  basic  inference  mechanisms: 
Boolean  constraint  propagation,  congruence  closure,  focused  binding  (also 
called  semantic  modulation),  and  automatic  universal  generalization.  The 
first  two  inference  mechanisms  are  well  known  inference  procedures  for  the 
quantifier-free  predicate  calculus  with  equality.  The  last  two  inference  mech¬ 
anisms  are  unique  to  the  Ontic  system.  These  four  inference  mechanisms  are 
discussed  in  section  1.4  and  again  in  more  detail  in  chapters  4  and  5.  In  a 
given  context  the  four  forward  chaining  inference  mechanisms  generate  a  set 
of  formulas  about  the  focus  objects  called  “obvious  truths”. 
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Figure  1.6:  The  Ontic  Interpreter  Display 


<lat-b§  F  rail ly-of-aata) 

( I at-ba  S  sat) 

(suppo*>t  (ia-avary  (aaabar-of  F)  (suparsat-of  S))) 


\Ontic  Listener 


On  tic  Stack. 

3  (SUPPOSE  <lS-eVERY  <f1EI1BER-0F  h  (SUPERSET-OF  S;)) 
2  (LET-BE  S  SET)  “ 

1  (LET-BE  F  FflflILY-OF-SETS) 


Figure  1.6:  The  Ontic  Interpreter  Display 
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The  Ontic  interpreter  is  an  interactive  system  for  verifying  proofs.  Each 
step  in  an  argument  is  associated  with  a  context,  i.e.  a  set  of  focus  objects, 
a  set  of  suppositions  about  the  focus  objects  and  the  current  lemma  library. 
The  user  tells  the  system  when  to  enter  new  contexts,  when  to  leave  old 
contexts,  and  when  to  “note”  a  fact  that  has  been  established  in  a  given 
context.  Figure  1.6  shows  the  display  of  the  Ontic  interpreter  as  seen  by  a 
user  who  is  about  to  verify  a  fact  concerning  families  of  sets.  The  top  half  of 
the  display  is  a  Lisp  listener:  a  window  for  interacting  with  a  Lisp  interpreter. 
The  bottom  half  of  the  display  shows  the  context  stack  which  displays  the 
set  of  suppositions  and  focus  objects  for  the  current  context.  In  the  example 
shown  in  figure  1.6  the  user  first  instructs  the  system  to  let  F  be  a  family  of 
sets.  This  caused  the  system  to  enter  a  context  in  which  it  is  focusing  on  an 
arbitrary  family  of  sets  denoted  by  F.  The  user  then  instructs  the  system  to 
let  S  be  any  set.  This  causes  the  system  to  enter  a  context  where  it  is  focusing 
on  an  arbitrary  set  S.  Finally  the  user  instructs  the  system  to  suppose  that 
every  set  in  the  family  F  is  a  superset  (i.e.  contains)  the  set  S.  Each  time 
a  new  context  is  entered,  the  instruction  for  entering  that  context  is  pushed 
onto  the  context  stack  shown  in  the  bottom  half  of  the  display.  By  looking 
at  the  context  stack  display  one  can  determine  the  set  of  focus  objects  and 
suppositions  that  are  currently  active. 

Figures  1.7  through  1.13  show  successive  stages  in  the  verification  of  a 
simple  fact  concerning  families  of  sets.  Let  F  be  a  family  of  sets,  let  S  be 
a  set  and  suppose  that  every  member  of  the  family  F  contains  the  set  S. 
Figures  1.7  through  1.13  present  an  argument  showing  that  the  set  S  must 
be  a  subset  of  the  intersection  of  the  members  of  the  family  F.  Figure  1.7 
shows  the  definition  of  the  function  FAMILY-INTERSECTION  which  takes  a 
family  cf  sets  and  returns  the  intersection  of  all  its  members.  In  Figure  1.7 
the  user  asks  the  system  to  abbreviate  the  term  (FAMILY-INTERSECTION  F) 
with  the  symbol  INT.  This  causes  the  intersection  INT  to  become  a  focus 
object.  The  user  then  asks  the  system  if  the  set  S  is  a  subset  of  INT  and 
the  system  says  it  doesn’t  know.  The  user  then  states  that  the  formula 
(IS  S  (SUBSET-OF  INT))  is  a  goal  to  be  proven.  This  last  instruction  has 
no  effect  on  the  context;  the  system  is  not  goal  directed  and  ignores  goals 
which  appear  on  the  context  stack.  Goals  act  as  comments  which  improve 
the  readability  of  proofs  (the  written  form  of  proofs  will  be  discussed  later). 
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Figure  1.7:  Statement  of  a  New  Lemma  to  be  Proved 
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(daftara  (faai I  y- i ntarsact i on  (F  f aa i I y-of-sats) ) 
(tha-aat-of-al I 

(laabda  (<x  (aaabar-of-aaabar  F>)) 

(i$-avary  (aaabar-of  F)  (sat-contain ing  x)))>) 
DEFINING  FRMLY- INTERSECTION 

[ONTIC :OEFINEO-FUNCTION-SYnBOL  FAHILY-INTERSECTION] 

(lat-be  INT  (faai ly-intarsacti an  F)) 

(it?  S  (aubtat-of  INT)) 

I-DONT-KNOH 


(puth-goal  (it  $  (aubtat-of  INT))) 


On  tic  Listener _ 

Ontic  Stack 

S  (PUSH-GOAL  (IS  S  (SUBSET-OF  INT))) 

4  (LET-BE  INT  (FfWILY- INTERSECTION  F)) 

3  (SUPPOSE  (IS-EVERY  (HEflBER-QF  F)  (SUPERSET-OF  $)))' 

2  (LET-BE  S  SET) 

i( LET-BE  >  FANILY-OF-SETS) 


Figure  1.7:  Statement  of  a  New  Lemma  to  be  Proved 
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(let-ba  X  (aeaber-of  S)) 

»Error:  You  have  not  astablishad  (EXISTS-SORE  < riEFIBER-OF  $>) 

(••PROPERTY  LET-BE  ONTIC:CONSTRUCTOR-FUNCTIQN> : 

Arg  f  (ONTICsABBREV):  X 

Arg  1  (ONTICSTYPE):  (HEHBER-OF  S> 

Rest  arg  (FORRULA):  NIL 

s-A,  «■>:  Back  to  fraaa  $  read-aval -pr i nt 

t-B:  Raturn  to  Lisp  Top  Laval  in  Ontic  Listanar 

s-C:  Restart  process  Lisp  Pans  1 


Ontic  Listener 


Ontic  Stack 


6  (LET-BE  X  (flERBER- 


5  (PUSH-GOAL  (IS  $  (SUBSET-OF  INT>> 


4  (LET-BE  INT  (FARILY- INTERSECTION  F)> 


3  (SUPPOSE  (IS-EVERY  (RERBER-OF  F)  (SUPERSET-OF  S>)) 


2  (LET-BE  S  SET) 


1  (LET-BE  F  FAHILY-OF-SETS) 


Figure  1.8;  A  Failed  Instruction  to  the  Interpreter 
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(supposa  (axists-soaa  (aaabar-of  S)>) 

(lat-ba  X  (aaabar-of  $)) 

(is?  X  (aaabar-of  INI)) 

I-0QNT-KN0U 


Or  Vic  Listener 


Ontic  Stack 


7  UET-BE  X  (HERBER-OF  S)) 


6  (SUPPOSE  (EXISTS-SOHE  (flEUBER-OF  S))> 


5  (PUSH-GORL  (15$  (SUBSET-OF  IMT) ) ) 


4  (IET-BE  INT  (FRHILY-INTERSECTION  F)> 


3  (SUPPOSE  US-EVERY  (REUBER-OF  F)  (SUPERSET-OF  $)>) 


2  (LET-8E  S  SET) 


1  (IET-8E  F  FfiluLY-OF-SETS> 
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;(daFtara  (f aai I y- i ntaraaet i on  <F  f aai ly-of-sats) ) 

;  <tha-aat-of-al I 

;  (laabda  ((x  (aaabar-of-aaabar  F ) ) ) 

;  (ia-avary  (aaabar-of  F)  (sat-conta i n i ng  x>>)>) 

(lat-ba  S2  (aaabar-oF  F)) 

I 

<(t?  X  (aaabar-of  $2>> 

YU 

(it?  X  (aaabar-of  INT)) 

VES 

(it?  $  (SU8SET-0F  INT)) 

VES 

(nota-goal) 


CJn tic  Listener 


Ontic  Stack 

9 

(LET-BE  S2  (HEI1BER-0F  F)> 

7 

(LET-BE  X  (HER8ER-0F  S>> 

6 

(SUPPOSE  (EXISTS-SBRE  (HEHBER-0F 

S))) 

S 

(PUSH-GOAL  (IS  S  (SUBSET-OF  INT))) 

4 

(LET-BE  INT  (FAMLY- INTERSECTION 

F)) 

3 

(SUPPOSE  (IS-EVERY  (flEUBER-OF  F) 

(SUPERSET-OF  S>)) 

2 

(LET-Btf  S  SET) 

1 

(LET-BE  F  FAMLY-OF-SETS) 

i  .  .  .  -  -  : 

Figure  1.10:  Establishing  the  Goal  in  a  Certain  Context 
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[Rbortl 

NIL 

[Rbortl 

NIL 

(is?  S  (subsot-of  INT) ) 
YES 


On  tic  Listener 

Ontic  Stack 

6  (SUPPOSE  (EXISTS-SONE  (HEflBER-OF  S))> 

5  (PUSH-GOAL  (IS  S  (SUBSET-OP  INT) >1 
4  (LET-BE  INT  (FRUILY -INTERSECT ION  F>> 

3  (SUPPOSE  (IS-EVERY  (NER8ER-0F  F>  (SUPERSET-OF  $))) 
2  (LET-BE  S  SET) 

1  (LET-BE  F  FRflllY-OF-SETS) 


Figure  1.11:  Bringing  the  Result  Back  to  an  Earlier  Context 
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(nots-gosl ) 

T 

(is?  S  (substt-of  I NT ) ) 
YES 


On  tic  Listener _ 

Ontic  Stack 

5  (PUSH-GOAL  (IS  S  (SUBSET-OF  INT))> 

4  (LET-BE  IMT  (FRIIILY- INTERSECTION  F>> 

3  (SUPPOSE  (IS-EVERY  <HE!lBER-0*  F)  (SUPERSET-OF  S>))  “ 
2  (LET-BE  V SET) 

I  (LET-BE  F  FAMLY-OF-SETS) 
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To  show  that  the  set  S  is  a  subset  of  INT  we  must  show  that  every  member 
of  S  is  a  member  of  INT.  To  do  this  we  can  consider  some  arbitrary  member 
X  of  the  set  S.  In  figure  1.8  the  user  tells  the  system  to  do  so.  However, 
the  system  complains  that  we  have  not  yet  established  that  such  members 
exist;  the  set  S  might  be  empty.  In  general  the  system  ensures  that  every 
object  being  considered  is  known  to  exist.  In  order  to  consider  an  arbitrary 
member  of  the  set  S  we  must  first  assume  that  such  members  exist.  In  figure 
1.9  the  user  first  instructs  the  system  to  suppose  that  there  are  members 
of  the  set  S  and  then  he  instructs  the  system  to  consider  a  particular  (but 
arbitrary)  member  X.  The  user  then  asks  the  system  if  X  is  a  member  of  INT 
and  the  system  doesn’t  know.  At  this  point  the  user  may  be  mystified  as  to 
why  the  system  does  not  “see”  the  obvious  fact  that  X  is  indeed  a  member 
of  the  family  intersection  INT.  Before  proceeding  further,  the  user  reviews 
the  definition  of  the  function  FAMILY-INTERSECTION  as  shown  in  figure  1.10. 
This  definition  states  that  X  is  a  member  of  the  family  intersection  just  in 
case  X  is  a  member  of  every  set  in  the  family  F.  In  figure  1.10  the  user 
shows  that  X  is  a  member  of  the  intersection  INT  by  showing  that  X  is  a 
member  of  an  arbitrary  set  S2  in  the  family  F.  This  is  done  by  considering  an 
arbitrary  member  S2  of  the  family  F.  In  this  scenario,  instances  of  the  type 
FAMILY-OF-SETS  are  by  definition  non-empty  and  thus  we  dc  not  need  the 
additional  assumption  that  F  is  non-empty.  When  the  system  focuses  on  the 
member  S2  of  the  family  F  it  “sees”  that  because  X  is  a  member  of  S,  and 
S  is  a  subset  of  S2,  X  is  a  member  of  S2.  At  this  point  the  system  performs 
an  automatic  universal  generalization.  Since  S2  is  an  arbitrary  member  of 
F,  and  since  X  has  been  shown  to  be  a  member  of  S2,  it  follows  that  X  is  a 
member  of  every  member  of  F.  Furthermore  since  X  is  an  arbitrary  member 
of  S  the  system  can  perform  yet  another  automatic  universal  generalization 
and  conclude  that  all  members  of  S  must  be  members  of  INT  and  thus  S  is  a 
subset  of  INT.  Asking  the  system  a  question  has  no  effect  on  the  state  of  the 
system;  the  questions  shown  in  figure  1.10  serve  only  to  indicate  the  line  of 
"easoning  used  by  the  system.  The  problem  was  actually  solved  by  forward 
chaining  as  soon  as  the  last  context  was  entered. 

The  forward  chaining  inference  mechanisms  establish  the  goal  in  the  con¬ 
text  shown  in  figure  1.10.  In  order  to  remember  that  the  goal  has  been 
proven,  the  system  must  update  the  underlying  lemma  library.  More  specif¬ 
ically,  if  the  lemma  library  were  not  updated,  then  when  the  user  returned 
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to  a  previous  context,  nothing  would  have  been  learned;  the  set  of  “obvious 
truths”  in  a  context  is  determined  by  the  lemma  library,  the  focus  objects 
and  the  suppositions.  In  the  scenario  shown  in  figure  1.10  the  user  explicitly 
updates  the  lemma  library  by  calling  the  function  NOTE-GOAL.  In  this  case 
the  system  adds  the  following  lemma: 

(FORALL  C (F  FAMILY-OF-SETS) 

(S  SET)) 

(=>  (AND  (IS-EVERY  (MEMBER-OF  F)  (SUPERS ET-OF  S)) 

(EXISTS-SOME  (MEMBER-OF  S))) 

(IS  S  (SUBSET-OF  (FAMILY- INTERSECTION  F))))) 

In  tiny  context,  the  user  can  instruct  the  system  to  note  any  formula  that 
is  obviously  true  in  that  context.  The  function  NOTE-GOAL  is  just  an  abbre¬ 
viation  for  noting  the  latest  goal  which  has  been  pushed  onto  the  context 
stack;  the  same  effect  would  have  been  achieved  if  the  user  had  typed 

(NOTE  (IS  S  (SUBSET-OF  INT))) 

When  a  formula  is  noted  the  system  constructs  the  implication  which 
states  that  suppositions  active  in  the  current  context  imply  the  noted  for¬ 
mula.  The  system  then  adds  the  universal  closure  of  that  implication  to  the 
permanent  lemma  library.  Note  that  in  this  case  we  have  not  really  proven 
the  desired  lemma;  we  have  only  proven  it  for  the  case  where  the  set  S  is 
non-empty. 

Figure  1.11  shows  that  with  the  updated  lemma  library,  the  desired  result 
is  “obvious”  in  the  context  associated  with  stack  frame  6.  However,  the  result 
must  still  be  proven  for  the  case  where  S  is  empty;  figure  1.12  shows  that 
the  result  has  not  yet  been  established  at  stack  frame  5.  But  the  case  for 
the  empty  set  is  trivial,  and  in  figure  1.13  the  user  simply  asks  the  system 
to  note  the  goal.  Since  the  goal  is  not  known  directly  at  frame  5,  the  system 
does  a  refutation  proof;  it  enters  a  context  where  the  goal  is  assumed  to  be 
false.  Given  the  new  lemma  shown  above,  the  forward  chaining  inference 
mechanisms  are  able  to  derive  a  contradiction  from  the  negation  of  the  goal, 
and  thus  the  goal  is  established  by  refutation.  Thus  the  note-goal  in  figure 
1.13  has  the  effect  of  adding  the  following  lemma  to  the  lemma  library. 
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(FORALL  (CF  FAMILY-OF-SETS) 

(S  SET)) 

(=>  (IS-EVERY  (MEMBER- OF  F) 

(SUPERSET-OF  S)) 

(IS  S  (SUBSET-OF  (FAMILY-INTERSECTION  F))))) 

The  “proof”  shown  in  figures  1.7  through  1.13  is  automatically  recorded 
by  the  system;  Figure  1.14  shows  an  automatically  generated  textual  repre¬ 
sentation  of  the  complete  proof.  Evaluating  the  form  shown  in  figure  1.14 
with  the  Lisp  interpreter  causes  the  above  two  lemmas  to  be  proved  and 
added  to  the  lemma  library.  (The  second  lemma  makes  the  first  one  obsolete 
and  the  user  can,  if  he  wishes,  explicitly  delete  the  first  lemma  after  the  proof 
has  been  done.) 

The  textual  representation  of  proofs  involves  IN-CONTEXT  expressions.  In 
general  an  IN-CONTEXT  expression  is  composed  of  two  parts:  a  “context  def¬ 
inition”  and  a  body-  the  context  definition  specifies  the  construction  of  a 
new  context  by  giving  a  list  of  context-constructing  instructions.  The  body 
is  a  list  of  instructions  to  be  executed  in  the  specified  context.  The  body  of 
an  IN-CONTEXT  expression  may  contain  embedded  IN-CONTEXT  expressions. 
Embedded  contexts  inherit  the  focus  objects  and  suppositions  of  outer  con¬ 
texts. 

The  two  note-goal  expressions  in  figure  1.14  correspond  to  the  case  anal¬ 
ysis  performed  in  the  interactive  proof.  The  first  note-goal  notes  that  if  there 
exists  a  member  of  S  then  the  theorem  is  true.  The  second  note-goal  invokes 
a  refutation  proof  which  effectively  handles  the  case  where  S  is  empty.  In 
general  multiple  note-goals  for  the  same  goal  correspond  to  a  case  analysis. 
Often,  as  in  this  example,  the  context  for  the  last  case  does  not  need  to  be 
explicitly  constructed  because  an  automatic  refutation  process  initiated  by 
the  last  note-goal  effectively  constructs  the  context  for  the  last  case. 

The  Ontic  interpreter  is  able  to  use  a  large  lemma  library  without  human 
assistance;  the  system  automatically  applies  facts  from  the  lemma  library 
whenever  it  enters  a  new  context.  Figure  1.15  shows  the  lemma  established 
by  the  proof  in  figure  1.14  together  with  two  other  facts:  for  every  family 
of  sets  F,  every  member  of  F  contains  (as  a  subset)  the  family  intersection 
f  F;  and,  for  two  sets,  if  each  is  a  subset  of  the  other,  then  the  two  sets 
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(IN-OONTEXT  ((LET-BE  F  FAMILY-OF- SETS) 

(LET-BE  S  SET) 

(SUPPOSE  (IS-EVERY  (MEMBER-OF  F) 

(SUPERSET-OF  S))) 
(LEI -BE  INT  (FAMILY-INTERSECTION  F)) 
(PUSH-GOAL  (IS  S  (SUBSET-OF  INT)))) 

(IN-CONTEXT  ((SUPPOSE  (EXISTS  (MEMBER-OF  S))) 
(LET-BE  X  (MEMBER-OF  S)) 

(LET-BE  S2  (MEMBER-OF  F))) 
(NOTE-GOAL)) 

(NOTE-GOAL)) 


Figure  3.14:  The  History 


(FORALL  ( (F  FAMILY-OF-SETS) 

(S  SET) ) 

(->  (IS-EVERY  (MEMBER-OF  F) 

(SUPERSET-OF  S)) 

(IS  S  (SU3SET-OF  (FAMILY-INTERSECTION  F))))) 

(Fl'KALL  ((F  FAMILY-OF-SETS) 

(S  (MEMBER-OF  F))) 

(IS  (FAMILY-INTERSECTION  F) 

(SUBSET-OF  S))) 

(FORALL  ((SI  SET) 

(S2  SET)) 

(*>  (AND  (IS  SI  (SUBSET-OF  S2)) 

(TS  S2  (SUBSET-OF  SI))) 

(«  SI  S2)) ) 


Figure  1.15:  Some  Simple  Facts 
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(IN-CONTEXT  ((LET-BE  S  SET) 

(LET-BE  S2  (SUBSET-OF  S)) 

(LET-BE  F  (THE-SET-OF-ALL 

(AND-TYPE  (SUBSET-OF  S) 

(SUFERSET-OF  S2))))) 

(IN-CONTEXT  ((PUSH-GOAL  (=  S2  (FAMILY-INTERSECTION  F)))) 
(IN-CONTEXT  ((LET-BE  INT  (FAMILY-INTERSECTION  F)) 
(LET-BE  S3  (MEMBER-OF  F))) 

(NOTE-GOAL)))) 


Figure  1.16:  A  Proof  Using  Lemmas 


are  equal.  Figure  1.16  is  a  proof  which  makes  use  of  the  facts  in  figure  1.15. 
We  assume  that  the  lemmas  in  figure  1.15  have  been  placed  in  the  lemma 
library  and  are  therefore  available  to  the  Ontic  interpreter.  The  proof  in 
figure  1.16  goes  as  follows:  Let  S  be  any  set  and  let  S2  be  any  subset  of 
S.  Let  F  be  the  set  of  all  subsets  of  S  which  contain  the  set  S2,  We  wish 
to  show  that  the  family  intersection  of  F  equals  the  set  S?.  First  the  user 
focuses  on  the  family  intersection  of  F  by  abbreviating  this  intersection  with 
the  symbol  INT.  Next  the  user  focuses  on  an  arbitrary  member  of  the  family 
F.  Focusing  on  arbitrary  member  of  F  causes  the  system  to  “realize”  various 
facts  about  F.  For  example  every  member  of  F  is  a  set  and  thus  F  is  a  family 
of  sets.  By  proving  that  F  is  a  family  of  sets  the  system  establishes  that 
the  term  (FAMILY-INTERSECTION  F)  is  well  typed  and  thus  the  definition  of 
FAMILY- INTERSECTION  can  be  invoked.  Furthermore  S3  is  a  superset  of  S2 
so  S2  is  a  subset  of  S3  and  by  universal  generalization  S2  is  a  subset  of  every 
member  of  F.  Once  the  system  deduces  that  F  is  a  family  of  sets  and  every 
member  of  F  is  a  set  which  contains  S2  the  system  automatically  applies  the 
first  lemma  in  figure  1.16  and  realizes  that  S2  is  a  subset  of  the  intersection 
INT.  The  system  also  realizes  that  the  set  S2  is  a  member  of  the  family  F  and 
applies  the  the  second  lemma  in  figure  14  thus  realizing  that  the  intersection 
INT  is  a  subset  of  S2.  Finally  the  system  applies  the  the  third  fact  in  figure 
1.15  and  realizes  that  INT  equals  S2. 


Actually  the  Ontic  interpreter  makes  no  distinction  between  definitions 
and  lemmas;  definitions  are  just  universally  quantified  equations  which  are 
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accessed  in  the  same  manner  as  lemmas.  The  proof  shown  in  figure  1.16 
relies  on  definitions  as  well  as  the  lemmas  shown  in  figure  1.15.  The  proof 
shown  in  figure  1.14  does  not  involve  any  previously  proven  lemmas  but  it 
does  involve  the  definition  of  the  intersection  of  a  family  of  sets. 

In  general,  the  user  need  not  make  explicit  references  to  definitions  and 
lemmas.  The  user  relies  on  the  system  to  use  definitions  and  lemmas  when¬ 
ever  they  are  appropriate.  For  example,  consider  an  arbitrary  lemma  of 
following  form: 

(FORALL  ((x  rj)  C y  t2))  $(x,  y )) 

This  “lemma”  might  actually  be  a  definition  iB  which  case  $  is  an  equation 
or  logical  equivalence.  The  Ontic  system  will  automatically  use  this  lemma 
in  any  context  where  there  are  two  focus  objects  A  and  B  such  that  A  is  an 
instance  of  T\  and  B  is  an  instance  of  t2  In  general,  a  universally  quantified 
lemma  such  as  the  one  shown  above  will  be  instantiated  with  all  combina* 
lions  of  focus  objects  that  match  the  type  restrictions  of  the  lemma.  Once 
the  lemmas  have  been  instantiated  with  the  focus  objects,  the  system  applies 
the  forward  chaining  inference  techniques  of  Boolean  constraint  propagation, 
congruence  closure,  and  automatic  universal  generalization.  The  instantia¬ 
tion  process  that  invokes  facts  from  the  lemma  library  is  a  graph-theoretic 
marker-propagation  inheritance  mechanism  called  focused  binding  or  seman¬ 
tic  modulation.  The  focused  binding  mechanism  achieves  the  effect  of  instan¬ 
tiation  but  avoids  constructing  the  formulas  that  result  from  the  syntactic 
substitutions  done  by  normal  instantiation. 

One  way  of  measuring  the  performance  of  a  verification  system  is  to  com¬ 
pare  the  length  of  a  natural  argument  with  the  length  of  a  corresponding 
machine  readable  proof.  The  ratio  of  the  length  of  a  machine  readable  proof 
to  the  length  of  the  corresponding  natural  argument  is  called  the  expansion 
factor  for  that  proof.  Figure  1.17  shows  both  fin  Engiish  natural  argument 
(taken  from  a  textbook  on  lattice  theory,  [Gratzer  78]  page  24)  and  a  corre¬ 
sponding  Ontic  proof.  The  natural  argument  contains  75  words  and  mathe¬ 
matical  symbols,  while  the  Ontic  proof  contains  73  symbols,  yielding  a  word 
count  expansion  factor  of  about  one.  For  the  most  part  the  “clear  and  nec¬ 
essary”  steps  of  this  particular  natural  argument  correspond  to  statements 
that  the  Ontic  interpreter  can  verify  in  a  single  step. 
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Proof.  Let  P  be  a  poset  in  which  V  S  exists  for  all  S  C  P.  For 
H  C  P,  let  I\  be  the  set  of  all  lower  bounds  of  H .  By  hypothesis 
V  K  exists;  set  a  =  \J  K.  If  h  £  H,  then  h  >  k  for  all  k  £  K; 
therefore  h  >  a  and  a  £  K.  Thus  a  is  the  greatest  member  of  K, 
that  is  a  =  A  H. 


(IN-CONTEXT  ((LET-BE  ?  POSET) 

(SUPPOSE  (FORALL  CCS  (SUBSET-OF  (U-SET  P)))) 

(EXISTS  (LEAST-UPPER-BOUND-OF  S  P)))) 
(LET-EE  H  (SUBSET-OF  (U-SET  P))) 

(PUSH-GOAL 

(EXISTS  (GREATEST-LOWER-BOUND-OF  H  P))));  #1 


(IN-CONTEXT 

( (LET-BE  K  (THE-SET-QF-ALL  (LOHER-BOUND-DF  HP))) 
(LET-BE  a  (THE  (LEAST-UPPER-BOUND-OF  K  P)))) 

(IN-CONTEXT  ((PUSH-GOAL  (IS  a  (LOWER-BOUND-OF  H  P))));  #2 
(IN-CONTEXT  ((SUPPOSE  (EXISTS  (MEMBER-OF  H))) 

(LET-BE  HO  (MEMBER-OF  H) ) ) 


(IN-CONTEXT 

((PUSH-GOAL  (IS  hO  (UPPER-BOUND-OF  K  P))));  #3 
(IN-CONTEXT 

((SUPPOSE  (EXISTS  (MEMBER-OF  K))) 

(LET-BE  kO  (MEMBER-OF  K))) 

(NOTE-GOAL));  #3 
(NOTE-GOAL)));  #3 

(NOTE-GOAL));  #2 

(NOTE-GOAL)));  #1 

Figure  1.17:  Least  upper  bounds  yield  greatest  lower  bounds. 
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The  natural  argument  shown  in  figure  1.17  concerns  complete  lattices. 
A  complete  lattice  is  a  partially  ordered  set  P  such  that  every  subset  of  P 
has  both  a  least  upper  bound  and  a  greatest  lower  bound.  The  arguments 
in  figure  1.17  show  that  if  every  subset  of  a  partially  ordered  set  P  has  a 
least  upper  bound,  then  every  subset  of  P  must  also  have  a  greatest  lower 
bound.  In  the  argument  from  Gratzer’s  book,  shown  in  figure  1.17,  the  least 
upper  bound  of  a  set  H  is  denoted  V  H  and  the  greatest  lower  bound  of  H 
is  denoted  /\H.  In  the  Ontic  proof  the  goals  are  numbered  so  that  one  can 
more  easily  see  the  association  between  the  statement  of  the  goal  and  the 
achievement  of  the  goal. 

A  different  measure  of  the  length  of  an  argument  or  proof  is  obtained  by 
counting  the  number  of  type  expressions  rather  than  words.  The  number  of 
type  expressions  used  in  an  argument  provides  a  rough  measure  of  the  number 
of  “statements”  involved.  A  direct  translation  of  the  natural  argument  in 
figure  1.17  into  Ontic  would  contain  14  type  expressions  while  the  actual 
Ontic  proof  contains  only  13  type  expressions  yielding  an  expansion  factor 
of  about  one.  Thus  the  basic  result  that  the  Ontic  proof  is  about  the  same 
length  as  the  English  proof  does  not  depend  on  the  particular  way  in  which 
one  measures  length. 

In  checking  the  proof  in  figure  1.17  the  Ontic  interpreter  makes  use  of  a 
large  lemma  library.  The  system  uses  some  basic  facts  about  partial  orders 
together  with  the  following  facts: 


1.  The  definitions  of  the  concepts  involved,  e.g.  the  definition  of  partial 
orders,  lower  bound,  least  member  and  greatest  lower  bound. 

2.  The  fact  that  if  a  is  a  subset  of  a  partially  ordered  set  p  then  the  set 
of  all  lower  bounds  of  s  is  a  subset  of  p. 

3.  The  fact  that  for  any  subset  s  of  a  partially  ordered  set  p,  there  is  at 
most  one  least  upper  bound  of  s. 


One  can  argue  that  the  expansion  factor  measured  for  the  proof  of  figure 
1.17  is  too  low  because  the  Ontic  interpreter  was  allowed  to  use  preproven 
lemmas  that  are  not  shown  in  the  formal  proof.  But  all  of  the  lemmas  used 


1 . 3.  EXAMPLES  OF  VERIFICATION 


33 


Lemma 

Predicate  Count 
Expansion  Factor 

Word  Count 
Expansion  Factor 

If  arbitrary  least  up¬ 
per  bounds  exist  then  arbi¬ 
trary  greatest  lower  bounds 
also  exist. 

.9 

1.0 

Every  filter  is  contained  in 
an  ultrafilter. 

1.3 

1.2 

If  F  is  an  ultrafilter  and 
x  V  y  6  F  then  i  6  F  or 
y  eF. 

2.1 

2.7 

Every  Boolean  algebra  is  iso¬ 
morphic  to  a  field  of  sets. 

2.0 

1.7 

Table  1.1:  Various  Measurements  of  the  Expansion  Factor 


by  the  Ontic  interpreter  in  proving  this  theorem  are  of  general  interest  and 
have  in  fact  been  used  in  several  different  contexts.  Furthermore  the  last  two 
lemmas  listed  above  have  simple  one  or  two  line  proofs  in  the  Ontic  system 
and  thus  if  those  lemmas  had  not  been  in  the  lemma  library  the  proof  shown 
in  figure  1.17  would  not  be  much  longer. 

It  seems  likely  that  human  mathematicians  unconsciously  invoke  a  large 
data  base  of  general  facts  when  they  think  about  mathematical  objects.  Fur¬ 
thermore,  it  seems  likely  that  in  familiarizing  oneself  with  a  new  domain  one 
must  verify  a  large  body  of  “trivial”  facts  and  incorporate  these  facts  into 
the  way  one  thinks  about  the  domain. 

Bell  and  Machover’s  text  on  mathematical  logic  gives  a  more  concise  proof 
of  the  lemma  of  figure  1.17  ([Bell  &  Machover  77]  page  127).  In  the  proof  a 
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least  upper  bound  is  called  a  supremum  and  a  greatest  lower  bound  is  called 
an  infimum. 

Let  L  be  a  partially  ordered  set  in  which  each  subset  has  a 
supremum.  Let  X  be  a  subset  of  L,  and  let  Y  be  the  set  of  lower 
bounds  of  X  in  L.  Then  Y  has  a  supremum  z  and  it  is  not  hard 
to  see  that  z  is  the  infimum  of  X. 

A  direct  translation  of  the  statements  in  Beli  and  Machover’s  into  the 
language  Ontic  would  contain  7  type  expressions  while  the  machine  verifiable 
Ontic  proof  has  13  type  expressions  yielding  a  predicate  count  expansion 
factor  of  about  two.  While  Bell  and  Machover’s  proof  is  clearly  shorter  than 
Gratzer’s  proof,  Bell  and  Machover’s  proof  includes  the  phrase  “and  it  is  not 
hard  to  see  that”.  This  phrase  seems  to  be  an  admission  that  the  given  proof 
is  not  complete.  Gratzer’s  proof,  on  the  other  hand,  contains  no  such  phrase 
and  we  must  take  Gratzer’s  proof  as  a  fully  expanded  (complete)  proof. 

The  appendix  contains  a  complete  listing  of  &  mathematical  development 
that  ends  with  a  proof  of  the  Stone  representation  theorem  for  Boolean  lat¬ 
tices.  This  appendix  provides  a  large  number  of  examples  of  Ontic  proofs 
aud  these  proofs  can  be  used  to  evaluate  the  Ontic  verifier.  Table  1.1  shows 
four  expansion  factor  measurements  taken  from  four  of  the  larger  proofs  done 
in  the  Ontic  system.  The  table  lists  both  a  predicate  count  expansion  factor 
and  a  word  count  expansion  factor  for  each  test  case.  Both  the  natural  ar¬ 
gument  and  the  corresponding  Ontic  proofs  for  each  test  case  can  be  found 
in  the  appropriate  sections  of  the  appendix. 

The  machine  readable  proofs  underlying  table  1.1  relied  on  an  extensive 
lemma  library  and  the  expansion  factor  measurements  are  thus  open  to  the 
criticism  that  parts  of  the  machine  readable  proof  have  been  hidden  in  the 
lemma  library.  However,  once  a  sufficiently  large  lemma  library  has  been 
constructed,  it  should  be  possible  to  prove  new  theorems  without  extending 
the  basic  lemma  library.  I  believe  that  the  numbers  listed  in  table  1.1  are 
accurate  in  that,  with  a  mature  lemrna  library,  new  theorems  can  be  verified 
with  small  expansion  factors  even  if  the  expansion  factor  takes  into  account 
all  lemmas  added  during  the  verification 
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1.4  The  Inference  Mechanisms 


All  of  the  inference  mechanisms  used  in  the  Ontic  system  manipulate  label¬ 
ings  of  a  graph  structure.  More  specifically,  the  Ontic  system  compiles  the 
lemma  library  into  a  graph  structure  where  the  nodes  in  the  graph  struc¬ 
ture  correspond  to  unique  expressions  in  the  formal  language.  There  are 
nodes  that  correspond  to  terms,  formulas,  type  expressions,  function  expres¬ 
sions  and  type  generator  expressions.  The  graph  structure  has  nine  different 
kinds  of  “links*  where  each  link  expresses  a  certain  way  that  nodes  are  re¬ 
lated.  For  example  if  n  is  the  node  corresponding  to  the  type  expression 
(LOWER-BOUND-OF  s  p)  then  there  is  a  subexpression  link  that  relates  n  to 
the  three  nodes  that  correspond  to  the  expressions  LOWER-BOUND-OF,  s  and  p. 
There  are  also  links  that  express  Boolean  constraints  among  formula  nodes, 
links  that  relate  a  lambda  function  to  the  node  representing  the  bound  vari¬ 
able  and  the  body  of  that  expression,  and  six  other  kinds  of  links. 

A  labeling  of  the  graph  structure  consists  of  two  parts:  a  partial  truth 
labeling  on  formula  nodes,  and  a  color  labeling  on  all  nodes.  For  each  formula 
node  p  the  partial  truth  labeling  either  assigns  p  the  label  true,  assigns  p  the 
label  false,  or  leaves  p  unlabeled.  The  color  nodes  represent  an  equivalence 
relation  on  nodes:  two  nodes  with  the  same  color  label  are  considered  to  be 
equivalent,  i.e.  proven  equal  in  the  current  context.  Whenever  an  inference 
is  made  the  system  updates  the  labeling:  either  a  formula  is  assigned  a  truth 
label  or  two  equivalence  classes  are  merged  by  recoloring  one  class  to  be  the 
same  color  as  the  other  class.  Any  such  inference  process  for  updating  labels 
on  a  fixed  graph  structure  must  terminate  because  there  are  only  finitely 
many  formula  nodes  which  can  be  assigned  truth  labels  and  every  merger  of 
equivalence  classes  reduces  the  number  of  equivalence  classes  remaining  and 
the  number  of  equivalence  classes  can  not  drop  below  one. 

The  same  underlying  graph  structure  can  be  used  in  many  different  con¬ 
texts.  Graph  structure  is  never  thrown  away:  each  time  new  graph  structure 
is  created  it  is  saved  for  use  in  other  contexts.  Truth  and  color  labels,  on 
the  other  hand,  are  temporary;  they  are  thrown  away,  for  example,  when  the 
system  stops  considering  a  particular  supposition  or  focus  object. 

This  section  presents  an  informal  description  of  the  inference  mechanisms 
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which  operate  on  the  graph  structure  and  the  way  iu  which  the  graph  struc¬ 
ture  is  constructed  from  the  lemma  library.  A  precise  description  of  the 
inference  mechanisms  and  graph  structure  is  presented  in  chapters  4  and  5. 
Chapter  6  contains  a  precise  description  of  the  Ontic  language  and  chapter  7 
contains  a  precise  description  of  the  way  the  lemma  library  is  compiled  into 
graph  structure. 


1.4.1  Inference  Mechanisms  for  Quantifier-Free  Logic 

Boolean  constraint  propagation  and  congruence  closure  were  originally  de¬ 
signed  as  inference  techniques  for  quantifier- free  logic.  Boolean  constraint 
propagation  adds  truth  labels  in  response  to  Boolean  constraints  and  pre¬ 
vious  truth  labels.  For  example,  if  the  node  for  the  implication  (*>  $ 
is  labeled  true,  and  the  node  for  $  is  labeled  true,  then  Boolean  constraint 
propagation  will  ensure  that  the  node  for  $  is  labeled  true.  Similarly,  if  the 
node  for  (=>  $  ty)  is  labeled  true,  and  the  node  $  is  labeled  false,  then 
Boolean  constraint  propagation  will  ensure  that  the  node  for  $  is  labeled 
false. 

Boolean  constraint  propagation  is  also  responsible  for  ensuring  a  certain 
relationship  between  color  labels  and  the  truth  labels  of  nodes  representing 
equalities.  To  ensure  this  relationship  the  system  may  merge  equivalence 
classes  in  response  to  the  addition  of  a  truth  label  or,  alternatively,  add  a 
truth  label  in  response  to  the  merger  of  equivalence  classes.  More  specifi¬ 
cally,  let  p  be  a  node  which  represents  an  equation  between  the  expressions 
represented  by  nodes  nj  and  n2.  If  the  equality  node  p  is  assigned  the  label 
true  then  the  system  ensures  that  nodes  and  n2  have  the  same  color  label, 
i.e.  are  in  the  same  equivalence  class.  On  the  other  hand  if  the  nodes  ni 
and  n2  are  in  the  same  equivalence  class  then  the  system  ensures  that  p  is 
assigned  the  label  true.7 

Congruence  closure  is  responsible  for  ensuring  that  the  equivalence  rela¬ 
tion  represented  by  the  color  labels  respects  the  substitution  of  equals  for 
equals.  For  example  consider  terms  (PQWER-SET  sj)  and  (POWER-SET  s2). 

7If  ni  and  n2  are  in  the  same  equivalence  class  and  the  equality  node  p  has  been  labeled 
false  by  some  other  inference  process  then  the  system  signals  a  contradiction. 
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Congruence  closure  ensures  that  if  the  nodes  representing  the  terms  Si  and 
have  the  same  color  label  (are  in  the  same  equivalence  class)  then  the  nodes 
representing  the  expressions  (POWER-SET  Si)  and  (POWER-SET  S2)  also  have 
the  same  color  label.  When  two  equivalence  classes  are  merged  congruence 
closure  may  merge  additional  equivalence  classes  in  order  to  ensure  that  the 
equivalence  relation  respects  the  substitution  of  equals  for  equals. 


1.4.2  Generic  Individuals,  Classification,  and  Focused 
Binding 

Recall  that  a  context  consists  of  a  lemma  library,  a  set  of  focus  objects  and 
a  set  of  suppositions  about  the  focus  objects.  Focused  binding  is  a  way  of 
applying  the  universally  quantified  formulas  in  the  lemma  library  to  the  focus 
objects  in  a  context.  This  is  done  using  an  inheritance  mechanism  similar 
in  spirit  to  Fahlman’s  virtual  copy  mechanism  based  on  marker  propagation 
[Fahlman  79].  More  specifically,  each  type  r  which  has  been  compiled  into 
a  node  in  the  graph  structure  is  associated  with  a  set  of  (typically  two  or 
three)  generic  individuals  of  that  type.  Information  that  is  known  to  hold  for 
a  given  type  is  explicitly  stated  about  the  generic  individuals  of  that  type.  A 
focus  object  which  is  known  to  be  an  instance  of  type  r  becomes  a  “virtual 
copy”  of  one  of  the  generic  individuals  of  type  r  and  thus  inherits  information 
from  that  individual. 

Each  generic  individual  is  a  term  node  in  the  graph  structure.  Information 
which  is  krown  to  hold  for  the  type  t  is  explicitly  stated  about  each  generic 
individual  of  type  r.  More  specifically,  if  the  system  compiles  into  graph 
structure  a  universal  formula  of  the  form 


(FORALL  ((x  r))  $(x)) 


then  for  each  generic  individual  g  of  type  r  which  is  added  to  the  graph  struc¬ 
ture,  the  system  constructs  a  Boolean  constraint  equivalent  to  the  following 
implication. 
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(=>  (AND  (FORALL  ((x  r))  $(x)) 

(EXISTS-SOME  r)) 

$(<?)) 

Given  the  above  constraint,  if  the  universally  quantified  formula  is  true  in  a 
context,  and  instances  of  type  r  are  known  to  exist  in  that  context,  then  the 
body  of  the  universal  formula  is  known  to  be  true  for  each  generic  individual 
of  type  r.  In  this  way  everything  that  is  known  about  the  type  in  general  is 
explicitly  stated  about  the  generic  individuals  of  that  type. 

Classification  assigns  types  to  focus  objects.  Classification  is  needed  in 
order  for  focus  objects  to  inherit  information  from  generic  individuals.  The 
system  classifies  a  focus  object  r  by  collecting  a  set,  types(r),  of  types  known 
to  hold  for  r  according  to  the  following  rules: 

1.  If  the  node  for  the  formula  (IS  r  r)  is  labeled  true  then  r  is  included 
in  types(r). 

2.  If  s  is  a  term  that  is  in  the  same  equivalence  class  as  the  focus  object 
r,  and  if  the  formula  (IS  s  <r)  is  labeled  true,  then  a  is  included  in 
types(r). 

3.  If  r  is  a  member  of  types^r),  find  the  formula  (IS-EVERY  r  o)  is  labeled 
true,  then  a  is  included  in  types(r). 

4.  If  r  is  a  member  of  types(r)  and  a  is  a  type  in  the  same  equivalence 
class  (with  the  same  color  as)  r  then  a  is  included  in  types(r). 


Focused  binding  causes  a  given  focus  object  to  inherit  information  from 
a  given  generic  individual.  More  specifically,  for  each  focus  object  r  and 
each  type  r  in  the  set  types(r)  the  system  chooses  a  generic  individual  g  of 
type  r  and  constructs  the  binding  g  r.  The  generic  individual  g  can  be 
thought  of  as  a  typed  variable  and  the  binding  g  ►-»  r  can  be  thought  of 
as  a  variable  binding.  In  the  Ontic  system  the  variable  binding  g  •— >  r  is 
implemented  via  the  color  labels:  when  the  system  constructs  the  binding 
g  »— *  r  it  assigns  g  and  r  the  same  color  label,  thereby  making  g  equivalent 
to  r.  When  g  is  made  equivalent  to  r,  the  congruence  closure  mechanism  is 
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used  to  “unify”  or  “match”  the  expressions  involving  the  generic  individual 
g  with  the  expressions  involving  the  focus  object  r.  In  this  way  the  focus 
object  r  becomes  a  virtual  copy  of  the  generic  individual  g.  Since  general 
knowledge  about  the  type  r  is  explicitly  stated  about  the  generic  individual 
g.  general  knowledge  about  the  type  r  becomes  effectively  stated  about  the 
focus  object  r.  In  this  way  general  facts  in  the  lemma  library  are  effectively 
applied  to  focus  objects  of  the  correct  type. 

The  focused  binding  process  is  sometimes  called  semantic  modulation 
because  it  involves  modulating  (changing)  the  interpretation  of  a  fixed  generic 
individual.  The  same  generic  individual  can  be  bound  to  different  focus 
objects  in  different  contexts.  In  this  way  the  system  modulates  the  semantic 
denotation  of  the  generic  individual,  hence  the  term  semantic  modulation. 

There  are  several  subtleties  involved  in  focused  binding.  First,  the  system 
must  not  bind  the  same  generic  individual  to  two  different  focus  objects 
simultaneously.  For  example,  consider  a  generic  number  g  and  two  numbers 
j  and  k  which  are  focus  objects  such  that  j  is  an  even  number  and  k  is  an 
odd  number.  If  the  system  bound  the  generic  number  g  to  both  j  and  k 
simultaneously  then  it  could  prove  that  g  was  both  even  and  odd  and  thus 
that  there  exists  a  number  which  is  both  even  and  odd. 

A  second  subtlety  involves  the  possibility  of  circular  bindings.  Before 
generating  a  binding  of  the  form  g  *-*  r  the  system  must  be  sure  that  r 
does  not  depend  on  g.  Any  term  can  be  given  as  a  focus  object.  Generic 
individuals  themselves  correspond  to  terms  in  the  Ontic  language  (they  are 
Ontic  variables)  and  thus  a  focus  object  may  be  a  generic  individual  or  a  term 
that  contains  a  generic  individual.8  For  example,  if  g  is  a  generic  individual 
ranging  over  numbers  then  the  term  1  +  g  might  be  a  focus  object.  In  this 
case  one  should  prevent  the  binding  g  »— ►  1  4-  g;  no  number  is  equal  to  the 
next  number.  The  dependency  test  for  avoiding  circular  bindings  is  similar 
to  the  occurs-check  done  in  unification.  Given  a  focus  object  r  of  type  t 
the  system  chooses  a  generic  individual  g  such  that  g  does  not  “occur  in”  r. 
Unfortunately  the  occurs-check  performed  by  the  Ontic  system  is  somewhat 


*Bv  abuse  of  notation  I  will  identify  a  generic  individual  with  the  corresponding  Ontic 
variable.  Technically,  a  generic  individual  is  a  node  in  the  graph  structure  while  an  Ontic 
variable  is  a  term  of  the  Ontic  language. 
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complicated.  Consider  a  generic  individual  y  which  ranges  over  numbers 
which  are  greater  than  x,  where  x  is  a  generic  individual  ranging  over  all 
numbers  ( y  is  a  generic  individual  of  type  (GREATER- THAN  x)).  The  binding 
x  *  1  +  y  is  illegal  because  it  forces  x  to  be  greater  than  itself.  However,  x 
is  not  a  free  variable  of  the  expression  1  +  y.  Rather,  x  is  a  free  variable  of 
the  type  of  y  where  y  is  a  free  variable  of  1  4-  y.  We  say  that  an  expression 
u  depends  on  a  variable  x  if  either  x  appears  free  in  u  or  there  is  some 
free  variable  y  of  u  such  that  the  type  of  y  depend'  on  x.  Unfortunately 
this  notion  of  dependence  still  does  not  provide  a  sound  occurs-check  in  the 
Ontic  system:  if  x  and  y  both  range  over  arbitrary  numbers  the  system 
must  prevent  the  two  simultaneous  bindings  x  •— *■  i  -f  y  and  j  h  1  +  i, 
To  prevent  such  circularities  the  system  must  take  previous  bindings  into 
account  when  computing  occurs-checks.  It  turns  out  that  there  is  a  subtle 
interaction  between  previous  bindings  and  the  dependencies  introduced  by 
types.  More  specifically,  if  the  system  has  already  constructed  the  binding 
yt-»u  then  the  type  of  y  can  be  ignored  in  the  occurs-check  procedure.  The 
resulting  occurs-check  procedure  runs  quickly  but  the  proof  that  the  occurs- 
check  procedure  leads  to  sound  inference  is  somewhat  complex  (see  sections 
5.2  and  5.3). 


1.4.3  Automatic  Universal  Generalization 

The  fourth  inference  mechanism  used  by  the  Ontic  system  is  automatic  uni- 
ve.sal  generalization.  Universal  generalization  can  be  applied  when  the  sys¬ 
tem  has  deduced  a  fact  about  an  arbitrary  individual  and  no  assumptions 
have  been  made  about  that  individual.  More  specifically,  a  universal  gener¬ 
alization  inference  can  be  made  if: 


•  g  is  a  generic  individual  of  type  r. 

•  The  system  has  labeled  the  node  for  a  formula  $(g)  true. 

•  No  assumptions  have  been  made  about  the  individual  g  other  than  the 
assumption  that  it  is  an  instance  of  type  r. 
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•  No  free  variable  of  $(5)  has  a  type  obwt  depends  on  g.  The  notion  of 
dependence  used  here  is  the  same  as  that  defined  above:  r  depends  on 
x  just  in  case  x  appears  free  in  t  or  some  free  variable  of  r  has  a  type 
which  depends  on  x. 

When  the  above  conditions  are  met  the  system  can  infer  the  universal  closure 

(FORALL  (( x  r)>  $(x)) 


There  are  several  things  to  note  about  automatic  universal  generalization. 
First,  this  inference  mechanism  does  not  construct  new  formulas  or  new  graph 
structure;  automatic  universal  generalization  is  only  applied  when  the  graph 
already  contains  nodes  for  the  formulas  $(g)  and  the  universal  closure 

(FORALL  ((x  r))  $(x)) 

Second,  types  play  a  central  role  in  the  automatic  universal  generalization 
mechanism.  When  the  system  proves  the  formula  <b(g)  it  is  allowed  to  use  the 
fact  that  g  is  an  instance  of  the  type  r,  and  the  resulting  universal  statement 
applies  to  all  instances  of  r.  Third,  without  the  last  restriction  universal 
generalization  is  unsound.  For  example,  consider  a  generic  individual  y  that 
ranges  over  numbers  greater  than  the  generic  number  x.  Without  making 
any  assumptions  about  x  and  y  other  tuan  that  they  are  both  instances  of 
their  respective  types,  the  system  can  deduce  that  x  is  less  than  y.  It  does  not 
follow,  however,  that  all  numbers  are  less  than  y\  there  is  no  largest  number. 
The  fact  that  x  is  less  than  y  does  not  imply  that  all  numbers  are  less  then 
y  because  the  x  “occurs  in”  y,  x  is  a  free  variable  in  the  type  of  y.  The  same 
proof  that  shows  that  the  Ontic  occurs-check  procedure  is  sound  for  focused 
binding  can  be  used  to  show  that  the  Ontic  occurs-check  procedure  leads  to 
sound  universal  generalization. 

The  above  notion  of  universal  generalization  can  be  made  more  powerful 
by  relaxing  the  restriction  that  no  assumptions  have  been  made  about  the 
arbitrary  individual  being  generalized  over.  More  specifically  one  can  perform 
universal  generalization  under  the  following  conditions: 


•  g  is  a  generic  individual  of  type  r. 
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•  The  system  has  labeled  the  node  for  a  formula  $(#)  true. 

•  The  system  has  bound  g  via  the  binding  g  >-*  h. 

•  h  is  a  generic  individual  of  type  a  where  a  has  the  same  color  label  as 
t  in  the  current  context. 

•  No  assumptions  have  been  made  about  h. 

•  h  does  not  “occur  in”  any  free  variable  of  $(5)  other  than  g. 

When  the  above  conditions  are  met  the  system  can  infer  the  universal  closure 

(FORALL  <(*  r))  $(*)) 

Again,  note  that  this  inference  mechanism  does  not  construct  new  for¬ 
mulas  or  add  new  graph  structure.  In  order  for  this  inference  mechanism  to 
be  applied,  all  of  the  formulas  involved  must  already  be  compiled  into  nodes 
in  the  graph  structure. 

To  see  the  importance  of  the  more  general  automatic  universal  general¬ 
ization  mechanism,  consider  a  subset  3  of  a  partially  ordered  set  p  and  the 
set  u  of  all  lower  bounds  of  s  as  a  subset  of  p.  Now  consider  a  member  x  of 
s.  By  definition  u  is  the  set  of  lower  bounds  of  s  so  x  is  an  upper  bound  of 
u.  It  turns  out  that  in  the  Ontic  system  proving  this  last  statement  requires 
universal  generalization.  More  specifically  the  Ontic  system  must  focus  on 
an  arbitrary  member  y  of  u  and  note  that  x  is  greater  than  or  equal  to  y. 
Since  y  is  an  arbitrary  member  of  u,  x  is  greater  than  or  equal  to  all  members 
of  u.  In  this  situation  the  system  will  construct  the  following  bindings: 

s'  H- >  u 

2  *-+  y 

Here  s'  is  a  generic  individual  ranging  over  arbitrary  subsets  of  p  and  z  is  a 
generic  individual  ranging  over  members  of  s'.  Now  y  is  a  generic  individual 
ranging  over  members  of  u  and  2  is  a  generic  individual  ranging  over  members 
of  s',  so  z  and  y  are  different  generic  individuals  whose  types  happen  to  be 
equal  in  the  current  context.  Furthermore  z  is  bound  to  y.  In  this  situation 
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the  system  generalizes  over  the  variable  z  rather  than  the  variable  y.  The 
system  must  generalize  over  z  rather  than  y  because  the  definition  of  upper 
bound  is  stated  about  the  generic  subset  s'  rather  than  the  particular  subset 
u  and  thus  the  quantified  formula  in  question  quantifies  over  members  of  s' 
rather  than  members  of  u. 

All  of  the  inference  mechanisms  used  in  the  Ontic  system  run  concurrently 
and  interact  with  each  other.  Inferences  can  lead  to  more  knowledge  about 
the  types  of  focus  objects;  this  can  lead  to  more  bindings,  which  can  lead 
in  turn  to  more  inference.  The  time  required  to  finish  the  overall  inference 
process  is  bounded  by  the  size  of  the  graph  structure.  This  is  because  the 
inference  processes  can  only  add  as  many  truth  labels  as  there  are  formula 
nodes  and  can  only  merge  as  many  equivalence  classes  as  there  are  nodes 
in  total.  The  factors  that  contribute  to  the  size  of  the  graph  structure  are 
discussed  below. 


1.4.4  The  Size  of  the  Graph  Structure 

When  a  new  focus  object  r  of  type  r  is  introduced,  it  is  possible  that  all 
generic  individuals  of  type  r  have  either  already  been  bound  to  other  objects 
or  occur  in  the  focus  object  r  and  thus  can  not  be  bound  to  r.  In  this  case 
the  system  creates  a  new  generic  individual  of  type  r  and  copies  all  of  the  in¬ 
formation  known  about  type  r  as  explicit  statements  about  that  new  generic 
individual.  Once  the  generic  individual  has  been  constructed,  however,  it 
is  saved  and  can  be  used  in  other  contexts.  For  most  arguments  there  are 
already  enough  generic  individuals  in  the  graph  structure  to  accommodate 
the  focus  objects  and  no  new  graph  structure  is  created.  However,  if  there 
are  not  enough  generic  individuals  to  accommodate  the  focus  objects,  then 
generic  individuals  are  created  on  demand  as  focus  objects  are  introduced. 
As  generic  individuals  are  created  the  underlying  graph  structure  expands. 

The  size  of  the  graph  structure  created  by  the  Ontic  compiler  is  deter¬ 
mined  by  the  library  of  mathematical  facts  and  by  the  number  of  generic 
individuals  that  have  been  created  for  each  type.  Fortunately,  for  any  given 
bound  on  the  level  of  quantifier  nesting,  the  size  of  the  graph  structure  is 
linear  in  the  size  of  the  lemma  library;  the  amount  of  graph  structure  is  the 
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sum  over  all  lemmas  of  the  amount  of  structure  created  by  each  lemma.  This 
fact  allows  the  Ontic  system  to  be  used  with  large  libraries  of  mathematical 
facts.  However,  the  cost  of  an  individual  lemma  can  be  quite  high.  Consider 
a  lemma  of  the  following  form: 


(FORALL  ((x  n)  (y  r2)  (z  r3))  $(x,y,2)) 

The  body  of  this  lemma  will  be  copied  for  each  triple  gx,  y2,  <73  where 
gi,  gi  and  g 3  are  generic  individuals  of  type  rx,  r2  and  r3  respectively.  In 
general  every  quantified  formula  which  is  compiled  into  graph  structure  gets 
instantiated  with  every  generic  individual  of  the  appropriate  type.  Let  |tx|, 
|t2|  and  |r3|  be  the  number  of  generic  individuals  for  tx,  t2,  and  r3  respectively. 
The  number  of  copies  of  the  body  of  the  above  lemma  is: 


W  •  M  •  N 

Generic  individuals  are  created  on  demand  as  new  focus  objects  are  intro¬ 
duced.  if  no  more  than  n  focus  objects  have  been  introduced  in  any  one 
context  then  there  will  be  at  most  n  generic  individuals  of  each  type.  If  the 
maximum  number  of  quantifiers  used  in  any  lemma  is  d  then  there  can  be  no 
more  than  nd  copies  of  the  body  of  each  lemma.  Lemmas  rarely  involve  more 
than  three  quantifiers  and  most  sessions  with  the  Ontic  interpreter  involve  at 
most  five  simultaneous  focus  objects.  Thus  a  typical  lemma  in  a  typical  ses¬ 
sion  generates  no  more  them  53  or  125  instantiations.  In  practice  this  number 
is  smaller  because  most  lemmas  quantify  over  highly  specialized  types  and 
there  are  typically  only  a  small  number  of  generic  individuals  of  specialized 
types.  Again  note  that  the  size  of  the  graph  structure  is  linear  in  the  size  of 
the  lemma  library;  the  total  amount  of  graph  structure  is  just  the  sum  over 
all  lemmas  of  the  amount  of  structure  generated  by  each  lemma.  However, 
the  size  of  graph  structure  is  very  sensitive  to  the  maximum  number  of  focus 
objects  introduced  in  a  given  context.  A  good  rule  of  thumb  seems  to  be 
that  the  size  of  the  graph  structure  is  proportional  to  n3|£|  where  n  is  the 
maximum  number  of  focus  objects  introduced  in  any  one  context  and  |£|  is 
the  size  of  the  lemma  library. 
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Chapter  2 

Comparison  with  Other  Work 


The  Ontic  system  represents  a  synthesis  of  ideas  from  artificial  intelligence 
and  automated  theorem  proving.  Constraint  propagation  is  a  forward  chain¬ 
ing  inference  technique  that  terminates  quickly  because  it  monotonically  fills 
a  finite  set  of  “slots”;  the  Ontic  system  monotonically  generates  truth  and 
color  labels  for  nodes  in  a  finite  graph  structure.  Congruence  closure  is  a  pow¬ 
erful  theorem  proving  technique  for  reasoning  about  equality.  Congruence 
closure  is  usually  viewed  as  an  inference  procedure  reasoning  about  equalities 
involving  ground  (variable-free)  expressions.  In  the  Ontic  system,  however, 
congruence  closure  is  used  as  an  integral  part  of  general  first  order  theorem 
proving.  Focused  binding,  also  known  as  semantic  modulation,  is  closely  re¬ 
lated  to  inheritance  mechanisms  which  have  been  developed  for  knowledge 
representation  languages  and  object  oriented  computer  programming  lan¬ 
guages.  Focused  binding  integrates  inheritance  with  other  theorem  proving 
mechanisms.  Congruence  closure  is  used  to  implement  a  strong  virtual  copy 
mechanism  that  allows  focus  objects  to  inherit  from  generic  individuals.  Au¬ 
tomatic  universal  generalization  is  perhaps  the  simplest  and  yet  the  most 
original  feature  of  the  Ontic  system.  Ontic  brings  all  these  ideas  together  in 
a  single  integrated  inference  process. 

The  first  section  of  this  chapter  relates  each  of  the  four  basic  inference 
mechanisms  used  in  Ontic  with  previous  work  in  knowledge  representation 
and  automated  theorem  proving.  The  second  section  of  the  chapter  relates 
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Ontic’s  focused  binding  mechanism  to  unification.  Focused  binding  and  uni¬ 
fication  provide  alternative  ways  of  selecting  and  applying  facts  from  a  fact 
library.  The  third  section  of  the  chapter  lists  various  theorem  proving  mech 
anisms  otliei  than  those  used  in  the  Ontic  system  and  attempts  to  show  how 
they  are  related  to  Ontic.  The  final  section  of  the  chapter  lists  some  of  the 
general  issues  to  be  considered  in  constructing  a  proof  verification  system  and 
discusses  how  Oxx  set  term  Ontic  and  various  other  systems  have  addressed 
those  issues. 


2.1  Inference  Mechanisms  Similar  to  Ontic’s 


The  following  four  sections  discuss  each  of  Ontic’s  four  inference  mechanisms 
in  turn.  The  first  three  inference  mechanisms  are  related  to  well  known 
inference  techniques.  Ontic,  however,  brings  these  mechanisms  together  in 
an  integrated,  object  oriented  theorem  proving  process. 


2.1.1  Constraint  Propagation 

There  are  many  mechanisms  in  the  artificial  intelligence  literature  which 
could  be  described  as  constraint  propagators.  By  “constraint  propagation” 
I  mean  an  inference  process  whose  running  time,  or  number  of  processing 
steps,  is  directly  bounded  by  the  size  of  a  finite  constraint  network.  On¬ 
tic  is  a  constraint  propagation  system  in  two  ways.  First  of  all,  one  of  the 
fundamental  inference  mechanisms  is  Boolean  constraint  propagation  which 
is  a  special  case  of  the  arc-consistency  constraint  propagation  technique  for 
general  constraint  satisfaction  problems  [Mackworth  77].  Second,  all  of  On¬ 
tic’s  inference  mechanisms  operate  by  labeling  a  graph  structure.  The  graph 
structure  is  analogous  to  a  constraint  network  in  that  the  total  number  of 
labeling  operations  is  directly  bounded  by  the  size  of  that  graph  structure. 

Many  artificial  intelligence  researchers  have  used  constraint  propagation. 
Waltz  used  constraint  propagation  to  filter  the  possible  interpretations  of 
lines  in  a  line  drawings  of  polygonal  physical  objects  [Waltz  75].  A  line  in  a 
drawing  of  a  scene  can  be  interpreted  as  a  convex  edge  on  single  object,  a 
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concave  edge  on  a  single  object  or  an  edge  between  two  objects.  A  particular 
interpretation  of  an  edge  is  called  a  “label”  for  that  edge.  Vertices  between 
edges  provide  constraints  on  the  possible  interpretations  of  edges.  In  Waltz 
line  labeling  a  forward  chaining  inference  process  systematically  eliminates 
possible  labelings  of  individual  edges.  The  running  time  of  the  process  is 
directly  bounded  by  the  number  of  edges  and  the  number  of  labels  that  can 
be  eliminated. 

The  Waltz  line  labeling  procedure  can  be  used  in  the  more  general  setting 
of  an  arbitrary  constraint  satisfaction  problem  [Mackworth  77].  A  constraint 
satisfaction  problem  consists  of  a  set  of  variables  each  of  which  can  be  as¬ 
signed  one  of  a  finite  set  of  possible  values  and  a  set  of  constraints  where  each 
constraint  restricts  the  simultaneous  assignments  for  a  given  subset  of  the 
variables.  The  arc-consistency  procedure,  which  is  a  straightforward  general¬ 
ization  of  Waltz  labeling,  systematically  eliminates  possible  interpretations  of 
variables  based  on  local  constraints.  The  running  time  of  the  arc- consistency 
procedure  is  directly  bounded  by  the  number  of  variables  and  the  number 
of  possible  assignments  for  each  variable.  Boolean  constraint  propagation 
is  a  special  case  of  the  arc-consistency  procedure  where  the  variables  are 
Boolean,  i.e.  they  can  be  assigned  the  labels  true  or  false,  and  the  constraints 
are  disjunctive  clauses  involving  the  Boolean  variables.  Boolean  constraint 
propagation  is  described  in  more  detail  in  chapter  4. 

Sussman  and  Steele  have  proposed  a  language  for  expressing  constraints 
on  real  valued  variables  and  constraint  propagation  techniques  for  dealing 
with  such  constraints  [Sussman  &  Steele  80].  The  number  of  propagation 
operations  performed  by  Sussman  and  Steele’s  system  was  directly  bounded 
by  the  number  of  variables  involved. 

Nevins  constructed  a  forward  chaining  geometry  theorem  prover  which 
restricted  the  forward  chaining  inference  process  to  an  a  priori  fixed  set  of 
formulas  [Nevins  74].  Nevins’  program  used  a  diagram  to  focus  the  system’s 
attention  on  certain  lines.  If  a  geometry  problem  has  n  points  then  there 
are  possible  line  segments  between  these  points.  A  diagram,  however, 

specifies  a  subset  of  the  lines,  those  actually  drawn  in  the  diagram. 
By  limiting  forward  chaining  to  statements  about  these  focused  lines,  the 
forward  chaining  process  does  not  generate  large  numbers  of  irrelevant  facts. 
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With  Kevins’  focused  forward  chaining  mechanism  there  is  no  need  for  the 
diagrammatic  filter  used  by  Gelernter  [Gelernter  59]. 

Ontic’s  inference  processes  operate  on  a  finite  graph  structure;  the  number 
of  labeling  operations  is  directly  bounded  by  the  size  of  that  graph  structure. 
The  Ontic  system  can  us2  the  same  graph  structure  in  different  contexts  to 
reason  about  different  focus  objects.  When  a  generic  individual  g  is  bound  to 
a  focus  object  r,  a  formula  involving  g  can  be  viewed  as  a  formula  involving  r; 
in  the  presence  of  bindings  the  formula  nodes  in  the  graph  structure  represent 
formulas  about  focus  objects.  Different  bindings  cause  the  nodes  in  the  graph 
structure  to  represent  statements  about  different  objects. 


2.1.2  Congruence  Closure 

Congruence  closure  is  the  process  of  “closing”  an  equivalence  relation  on  ex¬ 
pressions  under  the  inference  rule  of  substitution  of  equals  for  equals.  Con¬ 
gruence  closure  was  first  discussed  by  Kozen  for  reasoning  about  finitely 
presented  algebras  [Kozen  77].  Congruence  closure  has  also  been  used  by 
Nelson  and  Oppen  in  constructing  fast  decision  procedures  for  a  variety  of 
problems  that  arise  in  automatic  program  verification  [Nelson  and  Oppen  80]. 
The  congruence  closure  procedure  used  in  the  Ontic  system,  and  discussed  in 
some  detail  in  chapter  4,  is  based  on  the  procedure  given  by  Downey,  Sethi 
and  Tar j  an  [Downey,  Sethi  &  Tar j  an  80]. 

Ontic  uses  congruence  closure  both  as  a  mechanism  for  reasoning  about 
equality  and  as  a  replacement  for  unification.  The  relationship  between  On¬ 
tic’s  use  of  congruence  closure  and  traditional  unification  is  discussed  in  sec¬ 
tion  2.2. 


2.1.3  Focused  Binding  as  Inheritance 

Focused  binding  can  be  viewed  as  an  inheritance  mechanism:  information 
about  a  type  is  inherited  by  instances  of  that  type.  Type  hierarchies  and 
inheritance  also  play  an  important  role  in  object  oriented  programming  lan- 
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guages  such  as  Smalltalk  [Ingalls  76].  In  object-oriented  programming,  data 
types  are  organized  into  a  hierarchy  where  one  data  type  can  be  a  subtype  of 
another.  Data  objects  are  usually  records  with  data  fields.  A  given  data  ob¬ 
ject  inherits  both  data  fields  and  functional  behavior  from  all  the  supertypes 
of  its  immediate  type.  A  fairly  rigorous,  though  not  very  general,  treatment 
of  some  basic  ideas  in  object-oriented  programming  is  given  in  [Cardelli  84], 

Type  hierarchies  and  inheritance  also  play  a  central  role  in  many  knowl¬ 
edge  representation  systems  and  object  oriented  programming  languages. 
Frame-based  knowledge  representation  languages  typically  allow  the  user  to 
define  “concepts”  which  he  or  she  organizes  into  am  “is-a”  hierarchy  (e.g. 
[Brachman  &  Schmolze  85]).  A  concept  represents  a  class  of  structured  ob¬ 
jects;  the  concept  is  associated  with  a  set  of  “slots”;  an  instance  of  that 
concept  is  an  object  with  specific  “fillers”  or  “values”  for  the  slots  of  the 
concept.  For  example  the  concept  room  might  have  slots  ceiling ,  floor ,  walls, 
and  furniture.  Any  particular  room  will  have  a  particular  ceiling,  a  particular 
floor,  and  a  particular  set  of  pieces  of  furniture.  Furthermore,  a  concept  can 
place  certain  constraints  on  the  slot  fillers.  For  example  the  concept  room 
might  specify  that  the  furniture  slot  is  always  filled  with  a  set  of  physical 
objects.  The  user  could  introduce  the  concept  auditorium  as  a  specialization 
of  the  concept  room  and  the  concept  auditorium  would  then  automatically 
“inherit”  the  slots  and  constraints  of  the  concept  room. 

Ontic’s  focused  binding  mechanism  is  very  similar  to  Fahlman’s  virtual 
copy  mechanism  based  on  marker  propagation  [Fahlman  76],  Fahlman  pro¬ 
posed  a  semantic  network  formalism  in  which  objects  inherit  information 
from  classes  by  passing  markers  along  links  in  the  network.  The  marker 
passing  is  done  in  such  a  way  that  the  object  being  considered  becomes  a 
“virtual  copv”  of  generic  objects  which  contain  information  about  classes. 
In  the  Ontic  system  color  labels  are  used  instead  of  Fahlman’s  markers.  A 
focus  object  is  made  into  a  virtual  copy  of  a  generic  individual  by  assigning 
the  generic  individual  the  same  color  label  as  the  focus  object;  congruence 
closure  ensures  that  if  two  nodes  have  the  same  color  label  then  they  have 
identical  properties. 

In  the  Ontic  system  inheritance  is  just  one  aspect  of  an  integrated  theo¬ 
rem  proving  mechanism.  Generic  individuals  are  viewed  as  logical  variables 
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that  range  over  a  given  type.  Inheritance  occurs  when  a  generic  individual 
g  is  bound  to  a  focus  object  r  via  a  binding  g  r.  Fahlman’s  inheritance 
mechanism,  on  the  other  hand,  was  not  viewed  as  a  formal  inference  mech¬ 
anism  and  Fahlman  did  not  propose  integrating  his  inheritance  mechanism 
with  other  formal  inference  techniques  such  as  Boolean  constraint  propaga¬ 
tion,  congruence  closure,  or  automatic  universal  generalization. 


2.1.4  Automatic  Universal  Generalization 


Automatic  universal  generalization  arises  from  a  very  simple  idea:  if  a  fact  is 
proven  about  a  generic  individual  g  of  type  t  and  no  assumptions  have  been 
made  about  g  other  than  that  g  is  an  instance  of  t,  then  the  fact  holds  for  all 
instances  of  r.  In  spite  of  the  simplicity  of  the  underlying  idea,  Ontic’s  uni¬ 
versal  generalization  technique  seems  to  be  unlike  any  previous  automatic 
inference  mechanism.  For  example,  a  comparison  of  Oniic  and  resolution 
theorem  provers  shows  that  when  Ontic  performs  universal  generalization  it 
is  treating  a  generic  individual  as  a  Skolem  constant  introduced  by  a  univer¬ 
sally  quantified  goal  formula.  But,  unlike  resolution,  the  Ontic  system  does 
not  make  any  distinction  between  variables  and  Skolem  constants.  Generic 
individuals  in  Ontic  are  used  in  three  different  ways.  If  instances  of  a  type 
r  are  known  to  exist  then  each  generic  individual  of  type  r  is  asserted  to  be 
an  instance  of  t.  In  this  way  the  generic  individuals  can  be  used  a s  Skolem 
constants  introduced  by  the  premise  that  instances  of  r  exist.  But  generic 
individuals  are  also  used  as  variables  that  can  be  bound  to  specific  terms  in 
much  the  same  way  that  resolution  variables  are  bound  during  unification. 
Generic  individuals  are  used  in  yet  a  third  way  by  the  universal  generaliza¬ 
tion  mechanism;  universal  generalization  treats  generic  individuals  as  Skolem 
constants  introduced  by  universally  quantified  goal  statements. 

The  real  novelty  of  the  Ontic  system  lies  in  the  way  that  the  above  four 
inference  mechanisms  are  brought  together.  Ontic  integrates  constraint  prop¬ 
agation,  congruence  closure,  inheritance,  and  universal  generalization  in  a 
single  object-oriented  labeling  process  on  a  fixed  graph  structure. 
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2.2  Focused  Binding  vs.  Unification 


One  of  the  most  striking  features  of  the  Ontic  system,  as  compared  to  other 
theorem  proving  systems,  is  that  Ontic  does  not  use  unification.  Unification 
is  often  used  to  access  information  in  a  data  base.  A  Prolog  interpreter, 
for  example,  takes  a  goal  formula  and  finds  a  production  in  the  data  base 
whose  left  hand  side  unifies  with  the  given  goal.  A  rewrite  system  takes  an 
expression  to  be  simplified  and  finds  a  rewrite  rule  in  the  data  base  whose 
left  hand  side  unifies  with  the  expression  to  be  simplified.  Under  the  set- 
of-support  heuristic  a  resolution  theorem  prover  finds  a  clause  in  the  data 
base  such  that  a  literal  of  that  clause  unifies  with  a  subgoal  in  the  current 
problem.  In  all  these  cases  the  system  is  finding  an  expression  in  the  data 
base  which  unifies  with  an  expression  in  the  current  problem. 

Ontic  accesses  information  in  the  lemma  library  via  the  focused  binding 
mechanism.  Both  unification  and  focused  binding  generate  variable  bindings 
which  are  useful  to  produce  specialized  instances  of  the  general  formulas 
in  a  data  base.  However,  unification  and  focused  binding  generate  variable 
bindings  in  very  different  ways.  Unification  starts  with  the  expressions  to  be 
matched  and  generates  variable  bindings  which  lead  to  the  match.  Focused 
binding,  on  the  other  hand,  starts  with  focus  objects  then  generates  variable 
bindings  (bindings  of  generic  individuals)  and  relies  on  congruence  closure  to 
generate  “matches”  between  expressions  involving  variables  and  expressions 
involving  the  focus  objects.  Unification  is  a  local  process:  unification  is 
used  in  the  application  of  a  single  rewrite  rule  or  in  a  single  resolution  step. 
Focused  binding,  on  the  other  hand,  is  a  globed  process  involving  an  arbitrary 
number  of  facts  from  the  lemma  library.  Focused  binding  is  integrated  into 
the  theorem-proving  process.  Automated  inference  and  knowledge  from  the 
lemma  library  is  used  both  in  determining  the  types  which  apply  to  a  given 
object  and  in  determining  equivalences  between  expressions  after  bindings 
have  been  performed. 

Considerable  research  has  been  directed  toward  incorporating  various 
kinds  of  knowledge  (axiomatic  theories)  into  unification.  Equational  axioms, 
such  as  the  commutativity  and  associativity  properties  of  addition,  can  be 
incorporated  into  the  unification  process  so  that,  for  example,  a  +  x  matches 
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b  +  a  with  the  binding  x  *— ►  6.  Taxonomic  information,  information  involving 
the  classification  of  objects  into  types,  can  also  be  incorporated  into  the  uni¬ 
fication  process.  Because  Ontic’s  focused  binding  mechanism  is  integrated 
with  the  theorem  proving  process,  focused  binding  automatically  incorpo¬ 
rates  both  equational  and  taxonomic  information  into  the  matching  process; 
any  lemma  in  the  lemma  library  may  be  used  in  Ontic’s  matching  process. 
However,  unlike  most  unification  mechanisms,  Ontic’s  matching  process  is 
not  logically  complete:  it  is  possible  that  two  expressions  are  provably  equiv¬ 
alent  and  yet  the  Ontic  system  fails  to  match  them.  This  is  consistent  with 
the  overall  design  philosophy  of  the  Ontic  system;  to  ensure  that  the  system 
always  terminates  quickly,  completeness  has  been  abandoned. 


2.2.1  Unification  Relative  to  Equational  Theories 

There  has  been  a  considerable  amount  of  research  dedicated  to  incorporating 
equational  theories  into  unification.  For  example  consider  addition  as  an 
associative  and  commutative  operator.  Now  consider  the  problem  of  unifying 
x  +  (a  +  b)  and  a  +  (c  +  b).  The  binding  x  c  unifies  these  two  terms  in  the 
sense  that  the  equation 

c  -1-  (a  +  6)  =  a  +  (c  +  b) 

follows  from  the  associative  and  commutative  properties  of  + . 

More  generally,  let  F  be  a  set  of  universally  quantified  equations  between 
first  order  terms.  For  example  T  might  consist  of  the  associative  and  commu¬ 
tative  laws  for  addition.  A  general  purpose  theorem  prover,  such  as  a  resolu¬ 
tion  system,  could  handle  the  equations  in  T  simply  by  adding  the  equations 
in  r  to  the  data  base  of  general  facts.  In  practice,  however,  it  seems  more 
efficient  to  incorporate  certain  equational  facts  into  the  unification  process. 
Once  these  facts  have  been  incorporated  into  the  unification  process  they  can 
be  removed  from  the  general  data  base  without  loss  of  logical  completeness. 

A  given  set  of  equational  axioms  F  has  a  corresponding  unification  prob¬ 
lem.  For  any  substitution  a  and  any  expression  u  we  define  er(u)  to  be  the 
result  of  simultaneously  replacing  all  free  variables  in  u  with  their  image  un¬ 
der  «r.  A  unification  of  two  expressions  s  and  t  relative  to  the  axioms  in  T  is 
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a  substitution  <j  which  yields  a  match  between  s  and  t  relative  to  T,  i.e.  such 
that  the  equational  formulas  in  F  imply  that  a (s)  equals  cr(t).  If  T  states 
that  -f  is  associative  and  commutative  then  the  substitution  {x  >— >  c}  unifies 
x  4-  (a  +  b)  and  a  +  (c+b)  relative  to  F.  The  unification  problem  for  T  is  the 
problem  of  computing,  for  any  given  expressions  s  and  t,  a  representation  of 
all  unifications  of  s  and  t  relative  to  T. 

If  T  consists  of  a  single  commutative  operation  then  it  is  easy  to  determine 
if  there  exists  a  unification  of  any  two  given  terms  relative  to  T.  On  the  other 
hand  if  F  states  that  a  binary  operator  •  is  associative,  and  •  distributes  over  a 
binary  operator  +,  then  there  is  no  procedure  which  can  decide  the  existence 
of  a  unification  of  two  arbitrary  terms  relative  to  T.  These  results  and  others 
are  discussed  in  a  review  article  by  Siekmann  [Siekmann  84]. 

Unification  relative  to  equational  theories  can  be  compared  with  Ontic’s 
focused  binding  mechanism.  Ontic  first  binds  variables  (generic  individuals) 
of  the  appropriate  type  to  focus  objects  and  then  uses  congruence  closure  to 
“match”  expressions  involving  the  variables  with  expressions  involving  the 
focus  objects.  Ontic’s  matching  process  (congruence  closure)  automatically 
incorporates  equations  from  the  lemma  library.  For  example  suppose  that 
Ontic’s  lemma  library  contains  the  associative  and  commutative  laws  for  ad¬ 
dition  on  the  natural  numbers.  More  specifically,  suppose  the  lemma  library 
includes  the  following  three  lemmas: 

(FQRALL  ((X  NATURAL-NUMBER) 

(Y  NATURAL-NUMBER)) 

(*  (SUM-OF  X  Y) 

(SUM-OF  Y  X))) 


(FDRALL  ((X  NATURAL -NUMBER) 

(Y  NATURAL-NUMBER) 

(Z  NATURAL-NUMBER)) 

(«  (SUM-OF  X  (SUM-OF  Y  Z)) 
(SUM-OF  (SUM-OF  X  Y)  Z))) 
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(FORALL  ((X  NATURAL-NUMBER) 

(Y  NATURAL-NUMBER) 

'Z  NATURAL-NUMBER)) 

(*  (SUM-OF  X  (SUM-OF  Y  Z)) 

(SUM-OF  (SUM-OF  Y  Z)  X))) 

The  first  and  second  lemma  above  express  the  fact  that  addition  is  com¬ 
mutative  and  associative  respectively.  The  third  lemma  follows  from  the 
other  two.  If  the  third  lemma  were  not  explicitly  given,  however,  then  when 
focusing  on  three  generic  numbers  gi .  g2  and  g$  the  following  equation  would 
not  be  obvious  to  the  Ontic  system. 

<7i  +  (<?2  +  £3)  —  (<72  +  P3)  +  9i 

To  prove  this  equation  in  the  absence  of  the  third  lemma,  or  to  prove  the 
third  lemma  Irom  the  other  two,  the  system  must  focus  on  the  sum  g2  +  £- 
so  that  the  commutative  law  is  applied  to  g\  -f  (g2  -f  g3).  The  associative  and 
commutative  laws  allow  for  twelve  different  ways  of  writing  down  the  sum  of 
gi,  g2  and  g3:  there  are  six  different  orders  in  which  the  numbers  can  appear 
and  two  different  ways  of  parenthesizing  each  order.  In  the  presence  of  the 
three  lemmas  given  above  all  twelve  ways  of  writing  the  sum  are  equivalent; 
the  twelve  nodes  in  the  graph  structure  that  represent  the  twelve  different 
expressions  for  this  sum  are  all  in  the  same  equivalence  class;  they  have  the 
same  color  label.  Now  suppose  the  use*  focuses  on  three  particular  numbers 
a,  b  and  c.  The  Ontic  system  will  bind  a  generic  number  to  each  of  these 
three  particular  numbers;  assume  that  the  system  generates  the  bindings 

9\  a 

97 

9z  -*  c 

Given  that  all  twelve  expressions  for  the  sum  of  gi,  g2  and  g 3  axe  in  the 
same  equivalence  class,  congruence  closure  together  with  the  above  bind¬ 
ings  ensures  that  the  term  a-)-(b-)-c)  is  equivalent  to  the  term  b+(c+a).  By 
using  congruence  closure  as  a  matching  mechanism,  and  by  precompiling 
equational  theories  as  equations  involving  generic  individuals,  the  Ontic  sys¬ 
tem  automatically  performs  theory-relative  matching.  Unfortunately  Ontic’s 
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matching  process  is  not  complete:  the  incompleteness  is  demonstrated  by  the 
need  for  the  third  lemma  given  above.  On  the  other  hand,  as  the  example 
shows,  one  can  always  improve  the  power  of  the  matching  process  by  adding 
derived  equational  lemmas  to  the  lemma  library. 

Ontic's  focused  binding  mechanism  automatically  incorporates  any  equa¬ 
tional  lemma  whatsoever  into  the  congruence  closure  process;  in  the  Ontic 
system  one  does  not  have  to  design  a  new  theory-relative  matching  process 
for  each  new  theory  as  one  must  do  for  theory  relative  unification.  Ontic’s 
mechanism  has  the  disadvantage  however  that  there  is  no  guarantee  of  com¬ 
pleteness  —  congruence  closure  may  fail  to  equate  semantically  equal  terms. 


2.2.2  Unification  Relative  to  Taxonomic  Theories 


Several  researchers  have  investigated  unification  relative  to  theories  which 
are  not  equational.  Non-equational  theories  incorporated  into  the  unification 
process  are  sometimes  called  taxonomic  theories  because  they  usually  encode 
a  classification  of  objects  into  types.  The  separation  of  “taxonomic”  and 
“assertional”  information  has  been  discussed  in  the  knowledge  representation 
literature  [Brachman,  Fikes  &:  Levesque  82].  For  example  consider  the  axiom 

Vx  whale(s)  =J>  mammal(x) 

This  axiom  expresses  an  inclusion  relation  between  the  “type”  whale  and 
the  type  mammal.  Inclusion  relations  of  this  kind  can  be  incorporated  into 
the  unification  process  and  need  not  be  stated  explicitly  in  the  data  base  of 
a  general  purpose  theorem  prover. 

Walther  has  given  a  unification  algorithm  which  handles  any  taxonomic 
theory  expressible  as  a  partial  order  on  class  symbols  [Walther  84a].  He 
showed  that  for  any  such  taxonomic  theory  T  and  any  two  typed  terms  s 
and  t  the  set  of  all  unifications  of  s  and  t  can  be  expressed  with  a  finite  set  of 
most  general  unifiers  (i.e.  the  unification  problem  is  finitary).  Furthermore 
he  showed  that  if  the  type  hierarchy  is  a  tree  then  there  is  a  single  most 
general  unifier. 

Ait-Kaci  and  Nasr  have  given  a  unification  algorithm  for  a  more  expressive 


5G 


CHAPTER  2.  COMPARISON  WITH  OTHER  WORK 


class  of  taxonomic  theories  and  propose  using  this  algorithm  in  an  implemen¬ 
tation  of  the  programming  language  PROLOG  [Ait-Kaci  &  Nasr  86].  Stickel 
has  investigated  the  use  of  taxonomic  theories  in  even  greater  generality  al¬ 
though  Stickel  does  not  address  unification  as  a  mechanism  for  generating 
var;able  bindings  (only  the  ground  case  is  considered  as  lifting  to  the  general 
case  is  “straight forward”)  [Stickel  85], 


Ontic's  mechanism  for  inheritance  via  semantic  modulation  is  based  on 
taxonomic  information.  More  specifically,  the  Ontic  system  classifies  each 
focus  object  by  associating  each  focus  object  with  a  set  of  tyoes  known  to  be 
true  of  that  focus  object.  This  classification  process  takes  the  type  hierarchy 
into  account.  For  example  if  r  is  a  focus  object,  a  is  a  type  known  to  hold  of 
r,  and  the  formula  (IS-EVERY  cr  r)  is  labeled  true,  then  the  classification 
process  will  collect  r  as  a  type  known  to  hold  of  r. 

Unlike  unification,  Ontic’s  focused  binding  mechanism  integrates  the  use 
of  type  information  with  other  theorem  proving  mechanisms.  Ontic  may 
prove  a  statement  about  types  and  use  that  statement  immediately  in  clas¬ 
sifying  the  current  focus  objects.  Ontic’3  focused  binding  mechanism  auto¬ 
matically  incorporates  arbitrary  lemmas  about  the  types  of  objects.  There  is 
no  guarantee,  however,  that  Ontic’s  focused  binding  mechanism  will  derive 
all  the  logical  consequences  t  .economic  information. 


2.2.3  Higher-Order  Unification 

Unification  has  been  generalized  to  ai'ow  for  higher-order  variables;  higher- 
order  unification  can  be  used  to  bind  variables  that  range  over  functions  and 
predicates  as  well  as  variables  ranging  over  first  order  terms.  For  example, 
consider  the  induction  schema  for  Peano  arithmetic. 

P{ 0)  A  Vn(P(n)=»P(n  +  l))  =►  Vn  P(n)  (2.1) 

In  this  schema  P  is  a  variable  which  ranges  over  predicates.  This  schema 
can  be  instantiated  with  any  predicate  P  and  higher-order  unification  can 
be  used  to  find  bindings  for  P.  For  example  consider  a  function  /  which  is 
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known  to  be  monotone: 


Vm  f(m  +  1)  >  f(m) 


and  we  wish  to  prove 


Vm  /(m)  >  /( 0) 


To  prove  this  last  statement  a  backward  chaining  theorem  prover  might  unify 
P{n)  from  the  conclusion  of  2.1  with  the  goal  /(m)  >  /(0)  from  2.3.  This 
unification  leads  to  the  following  bindings: 


P  ~  (A(n)  f(n)  >  /( 0)) 

A  backward  chaining  inference  system  could  then  establish  the  antecedents 
of  2.1  under  the  above  binding  for  the  predicate  P. 

The  first  complete  unification  procedure  for  higher-order  logic  was  con¬ 
structed  by  Gerard  Huet  [Huet  75].  Higher-order  unification  has  been  used 
effectively  in  at  least  two  mathematical  verification  systems,  Ketonen’s  EKL 
system  [Ketonen  84]  and  Andrews’  TPS  [Miller  et  al.  82].  In  both  sys¬ 
tems  the  higher-order  unification  procedure  was  found  to  terminate  quickly 
in  practice. 

The  Ontic  system  is  higher-order  in  the  same  sense  that  axiomatic  set 
theory  is  higher-order;  functions  and  predicates  can  be  “reified”  as  sets  and 
thus  first  order  variables  can  be  made  to  range  over  functions  and  predicates. 
In  the  Ontic  system  the  user  can  focus  on  a  reified  predicate  Q  and  thus  cause 
the  system  to  bind  variables  to  the  predicate  Q.  This  kind  of  “higher-order” 
binding  is  used  many  times  in  the  mathematical  development  given  in  the 
appendix. 

While  the  Ontic  system  does  allow  for  higher-order  reasoning,  the  Ontic 
system  does  not  adequately  handle  mathematical  induction.  Verifying  in¬ 
duction  proofs  in  the  On'ic  system  results  in  a  large  expansion  factor;  the 
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machine  readable  proofs  are  significantly  longer  than  the  natural  language 
counterpart. 

Higher-order  unification  provides  one  technique  for  reducing  the  expan- 
3ion  factor  for  induction  proofs.  The  EKL  system  relies  on  higher  order 
unification  both  in  establishing  the  well  formedness  of  recursive  definitions 
and  in  performing  induction  arguments  to  prove  properties  of  recursively 
defined  functions.  But  there  seem  to  be  other,  perhaps  even  better,  tech¬ 
niques  for  reasoning  about  recursive  definitions.  The  Boyer-Moore  theorem 
prover  is  extremely  effective  in  performing  induction  arguments  but  does  not 
use  higher  order  unification  [Boyer  &  Moore  79].  Ontic’s  weakness  with  re¬ 
gard  to  induction  arguments  and  possible  ways  of  making  Ontic’s  induction 
mechanisms  more  powerful  are  discussed  in  section  3.2.2. 


2.3  Inference  Mechanisms  Unlike  Ontic’s 


This  section  surveys  some  of  the  general  purpose  inference  mechanisms  that 
have  been  introduced  in  the  past  thirty  years  and  compares  these  mechanisms 
with  Ontic’s  object-oriented  inference  mechanisms.  Only  general  purpose  in¬ 
ference  mechanisms  are  discussed  here;  domain  specific  mechanisms,  such  as 
Chou’s  application  of  Wu’s  method  for  geometry  theorem,  will  not.  be  dis¬ 
cussed  [Wu  86]  [Chou  84].  I  will  also  not  discuss  decision  procedures  for 
particular  theories  or  mechanisms  for  combining  decision  procedures  [Nel¬ 
son  &;  Oppen  79]  [Shostak  82]. 

This  section  briefly  discusses  some  particular  general  purpose  inference 
systems.  The  automath  proof  verification  systems  used  normalization  of  the 
typed  lambda  calculus  as  an  inference  mechanism.  The  Davis-Putnam  proce¬ 
dure  was  based  on  a  direct  enumeration  of  the  Herbrand  universe  for  a  set  of 
first  order  sentences.  The  resolution  procedure  and  its  variants  improved  on 
the  Davis-Putnam  procedure  by  introducing  unification,  thereby  allowing  a 
large  number  of  ground  inferences  to  be  abbreviated  with  a  single  resolution 
step.  The  Boyer-Moore  theorem  prover  finds  induction  proofs  for  verifying 
equations  concerning  recursive  programs  in  pure  Lisp.  The  Boyer-Moore 
theorem  prover  is  based  on  user-defined  (and  machine  verified)  rewrite  rules 
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together  with  heuristics  for  generalizing  induction  hypotheses.  The  Knuth- 
Bendix  procedure  provides  a  way  of  converting  a  set  of  unordered  equations 
into  a  set  of  rewrite  rules  for  canonicalizing  expressions.  The  Knuth-Bendix 
procedure  can  also  be  used  for  proving  certain  equations  about  recursive 
programs  via  an  “inductionless*1  induction  technique.  Finally,  a  fair  num¬ 
ber  of  systems  have  been  constructed  which  use  automated  theorem  proving 
support  to  verify  natural  deduction  proofs. 


2.3.1  Automath 

The  typed  lambda  calculus  is  closely  related  to  intuitionistic  (constructive) 
proof  theory.  The  analogy  between  typed  lambda  calculus  and  intuitionistic 
proof  theory  is  based  on  viewing  types  as  formulas  and  viewing  a  term  of  type 
r  as  a  proof  of  r  (where  r  ic.  viewed  as  a  formula).  If  the  formulas  encoded 
by  types  include  quantifiers,  i.e.,  if  the  type  system  has  dependent  types, 
then  it  can  be  difficult  to  determine  if  a  term  u  has  type  r.  More  specifically, 
determining  if  u  has  type  r  may  involve  normalizing  (i.e.  evaluating)  the  term 
u.  This  normalization  process  can  be  viewed  as  inference  where  (3  reductions 
correspond  to  either  the  inference  rule  of  modus-ponens  or  the  inference  rule 
of  universal  instantiation. 

The  relationship  between  types  and  formulas  of  intuitionistic  logic  un¬ 
derlies  one  of  the  earlier  mathematical  verification  systems,  the  Automath 
system  [deBruijn  68],  [deBruijn  73].  The  Automath  system  has  been  used 
to  verify  Landau’s  Grundlagen,  a  book  on  the  foundations  of  the  integers, 
rationals,  reals,  and  complex  numbers  [Jutting  79].  The  book  includes  a  very 
rigorous  (almost  formal)  definition  of  each  number  system.  The  rationals  are 
defined  as  equivalences  classes  of  pairs  of  integers,  the  reals  are  defined  as 
Dedekind  cuts  in  the  rationals,  the  complex  numbers  are  defined  as  pairs  of 
reals.  The  book  also  includes  proofs  that  the  basic  algebraic  operations  on 
these  numbers  are  well  defined  (e.g.  addition  of  rationals.  multiplication  of 
reals).  No  significant  theorems  are  proven  other  than  the  well-formedness  of 
these  basic  definitions. 

Even  though  Landau’s  grundlagen  is  an  extremely  rigorous  (almost  for¬ 
mal)  book,  the  version  of  the  book  readable  by  the  Automath  system  is  about 
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ten  times  as  long  as  the  Grundlagen  itself.  This  indicates  that  the  Automath 
verifier  does  not  use  powerful  automatic  inference  mechanisms;  there  is  not 
yet  good  evidence  that  normalization  of  the  typed  lambda  calculus  is  a  useful 
automated  inference  mechanism. 


2.3.2  The  Davis-Putuam  Procedure 

The  Davis-Putnam  procedure  [Davis  &  Putnam  60]  is  based  directly  on  Her- 
brand’s  theorem  for  the  first  order  predicate  calculus.  Herbrand’s  theorem 
implies  that  if  S  is  an  unsatisfiable  set  of  first  order  formulas  in  Skolem  nor¬ 
mal  form  then  there  exists  a  finite  set  I'  of  ground  instantiations  of  £  such 
that  T  is  inconsistent.  It  is  possible  to  write  a  computer  program  that  decides 
whether  a  set  of  ground  formulas  is  consistent.  To  determine  if  the  original 
set  £  of  first  order  formulas  is  satisfiable.  one  can  simply  enumerate  all  finite 
ground  instantiations  T  of  £  and  test  each  one  for  consistency.  If  £  is  incon¬ 
sistent  then  by  Herbrand’s  theorem  one  will  find  a  ground  instantiation  T  of 
£  that  s  inconsistent. 

The  Davis-Putnarn  procedure  is  not  used  today;  resolution  theorem  prov¬ 
ing  is  more  effective  [Robinson  65],  The  Davis-Putnam  procedure  spends 
most  of  its  time  deciding  the  satisfiability  of  quantifier-free  ground  formulas. 
Resolution  theorem  proving  is  more  effective  because  a  large  (infinite)  num¬ 
ber  of  of  ground  inferences  are  summarized  in  a  single  resolution  step.  More 
specifically,  the  formula  generated  by  a  resolution  step  can  be  viewed  as  a 
universally  quantified  lemma  which  summarizes  a  large  number  of  ground 
statements  [Robinson  65].  Because  other  proof  mechanisms  (resolution)  are 
more  effective  than  the  Davis-Putnam  procedure,  the  Davis-Putnam  proce¬ 
dure  will  not  be  discussed  further  here. 


2.3.3  Resolution  and  its  Variants 

Most  research  in  automated  theorem  proving  in  the  past  twenty  years  has 
been  based  in  some  way  on  resolution.  The  basic  resolution  rule  was  intro¬ 
duced  by  Robinson  in  1965  and  shown  to  be  refutation  complete  for  first  order 
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predicate  calculus  [Robinson  65].  The  resolution  principle  represented  a  clear 
advance  over  the  Davis- Putnam  procedure  because  a  single  resolution  step 
abbreviates  a  large  number  of  the  ground  inferences.  However  the  number 
of  possible  n-step  deductions  grows  exponentially  in  n  and  it  soon  became 
clear  that  resolution  theorem  provers  could  not,  in  practice,  find  significant 
theorems  by  searching  this  large  space  of  possible  deductions. 

The  late  sixties  saw  the  development  of  a  large  number  of  restrictions  on 
the  resolution  principle.  Each  such  restriction  rules  out  certain  resolution 
steps  and  thus  reduces  the  number  of  possible  n-step  deductions.  In  spite  of 
the  reduction  in  the  number  of  possible  inferences,  various  restricted  forms 
of  resolution  are  logically  complete.  A  description  of  various  restrictions  and 
modifications  of  the  resolution  rule  can  be  found  in  [Loveland  78].  Connection 
graph  resolution,  a  resolution  restriction  invented  by  Kowalski,  is  described 
in  [Bibel  81]. 

One  perceived  difficulty  with  resolution  theorem  proving,  in  addition  to 
the  large  search  spaces  encountered,  is  the  use  of  normal  forms.  Resolution 
requires  that  first  order  formulas  be  put  in  normal  from  in  three  stages.  First, 
all  quantifiers  are  moved  to  the  beginning  of  the  formula  resulting  in  a  for¬ 
mula  in  prenex  normal  form.  Second,  existential  quantifiers  are  replaced  by 
skolem  functions  resulting  in  an  equisatisfiable  formula  in  prenex  normal  form 
with  only  universal  quantifiers.  Finally,  the  matrix  of  the  formula  (the  part 
after  the  quantifiers)  must  be  placed  in  conjunctive  normal  form  resulting 
in  a  set  of  universally  quantified  clauses  where  each  clause  is  a  disjunction 
of  literals.  Several  researchers  have  developed  theorem  proving  techniques 
which  are  similar  to  resolution  but  which  do  not  require  the  last  normaliza¬ 
tion  step:  the  matrix  of  the  formula  need  not  be  in  conjunctive  normal  form.. 
Such  “non-clausal”  provers  are  described  in  [Andrews  81],  [Murray  82],  and 
[Stickel  82].  These  non-clausal  procedures  are  similar  to  resolution  in  that 
they  use  unification  to  find  matches  between  formulas  and  matched  formulas 
are  combined  to  generate  new  formulas.  The  non-clausal  procedures  are  also 
similar  to  resolution  in  that  existential  quantification  is  eliminated  in  favor 
of  Skolem  constants. 

Research  in  resolution  theorem  proving  and  related  techniques  has  focused 
on  establishing  logical  completeness.  However,  logical  completeness  may  not 
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be  important  in  practice.  The  Boyer- Moore  theorem  prover  is  clearly  not 
complete,  it  often  terminates  in  failure,  and  yet  the  Boyer-Moore  prover  has 
been  been  used  effectively  in  more  applications  than  has  any  other  theorem 
proving  system. 

As  a  side  effect  of  focusing  on  completeness,  the  resolution  theorem  prov¬ 
ing  community  has  failed  to  make  any  distinction  between  “obvious"  and 
“noil-obvious”  inferences.  The  failure  to  distinguish  obvious  and  non-obvious 
inferences  makes  it  difficult  to  use  resolution  theorem  provers  in  interactive 
proof  verifiers.  Any  interactive  proof  verifier  based  on  resolution  must  have 
some  way  of  forcing  the  resolution  process  to  terminate  so  that  a  proposed 
proof  step  can  be  rejected  in  a  finite  amount  of  time.  For  example  Bledsoe 
built  an  interactive  verifier  which  simply  imposed  a  time  limit  on  the  reso¬ 
lution  process  [Bledsoe  71].  A  more  principled  restriction  of  the  resolution 
process  has  been  introduced  by  Davis  [Davis  81]  and  used  in  the  Mizar  sys¬ 
tem  [Trybulec  &  Blair  85].  However  the  restriction  proposed  by  Davis  forces 
the  decision  procedure  for  obvious  inferences  to  determine  the  satisfiability 
of  tin  arbitrary  set  of  ground  clauses.  Determining  the  satisfiability  of  a  set 
of  ground  clauses  is  known  to  be  NP-complete.  Furthermore,  as  far  as  I 
know,  there  has  never  been  a  detailed  comparison  of  natural  arguments  and 
theorems  provable  under  Davis’  suggestion. 


2.3.4  Rewriting  Mechanisms 

Automated  inference  systems  often  have  -  hard  time  dealing  with  equality 
and  equational  axioms.  Directed  rewrite  systems  provide  one  approach  to 
reasoning  about  equality.  The  process  of  rewriting  expressions  is  also  known 
as  simplification ,  symbolic  evaluation  or  demodulation.  Rewrite  systems  iter¬ 
atively  simplify  a  given  expression  until  it  is  in  canonical  form.  A  statement 
can  be  proved  by  rewriting  it  to  the  constant  true. 

Some  of  the  most  effective  theorem  proving  systems  are  based  on  rewrite 
mechanisms.  Most  notably,  the  Boyer-Moore  theorem  prover  uses  a  sim¬ 
plification  mechanism  guided  by  user  defined  (but  machine  verified)  rewrite 
rules  [Boyer  &  Moore  79].  The  Boyer-Moore  theorem  prover  has  been  used  to 
verify  a  wide  variety  of  theorems  from  number  theory,  recursive  function  the- 
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ory,  formal  logic  and  software  and  hardware  verification  [Boyer  &  Moore  84] , 
[Shankar  85],  [Russinoff  85],  [Boyer  &  Moore  86].  The  real  power  of  the  Boyer- 
Moore  prover  comes  from  its  ability  to  perform  induction  proofs.  However 
the  simplification  (rewrite)  mechanism  is  central  to  the  system. 


The  Boyer-Moore  prover  is  primarily  used  to  prove  equations  between 
term?  defined  in  pure  Lisp.  Once  an  equation  has  been  proven  it  is  treated 
as  a  rewrite  rule  to  be  used  in  future  proofs.  The  direction  of  each  newly 
proven  rewrite  rule  is  provided  by  the  human  user,  e,g.  when  the  system 
proves  an  equation  s  =  t  the  human  user  specifies  whether  this  equation 
should  be  treated  as  s  — ►  £,  which  rewrites  s  to  t,  or  as  t  — *  s,  which  rewrites 
t  to  s. 

Ketonen’s  EKL  system  is  another  example  of  a  verification  system  based 
on  user  defined  rewrite  rules  [Ketonen  84].  As  in  the  Boyer-Moore  prover, 
the  direction  of  EKL  rewrite  rules  are  specified  by  the  human  user.  Unlike 
the  Boyer-Moore  prover  however,  the  EKL  system  uses  Huet’s  higher  order 
unification  procedure  to  perform  induction  proofs.  The  EKL  system  lacks 
the  facility  for  generalizing  induction  hypotheses  used  in  the  Boyer-Moore 
prover. 

Knuth  and  Bendix  developed  a  powerful  method  for  constructing  decision 
procedures  for  certain  equational  theories  [Knuth  &  Bendix  69].  Unlike  the 
Boyer-Moore  prover  and  the  EKL  system,  the  Knuth-Bendix  procedure  can 
be  used  to  automatically  convert  undirected  equations  to  directed  rewrite 
rules.  More  specifically,  equations  can  be  ordered  via  a  general  (but  user 
specified)  order  X  on  terms.  If  s  X  t  then  the  equation  s  —  t  becomes  the 
rule  s  — ♦  t ;  if  t  X  s  then  the  equation  s  =  t  becomes  t  s.  The  partial  order 
X-  used  in  the  Knuth-Bendix  procedure  must  be  well  founded,  respect  term 
structure,  and  obey  substitutions  (see  [Knuth  h  Bendix  69]  for  details). 

After  ordering  equations  into  rewrite  rules,  the  Knuth-Bendix  procedure 
can  also  be  used  to  automatically  construct  additional  “derived”  rewrite 
rules.  More  specifically,  given  a  set  of  unordered  equations,  and  an  acceptable 
partial  order  X-  on  terms,  the  Knuth-Bendix  procedure  both  converts  equa¬ 
tions  to  rewrite  rules  and  constructs  additional  rewrite  rules  whose  validity 
follows  from  the  original  equations.  The  set  of  rewrite  rules  that  results  from 
applying  the  Knuth-Bendix  procedure  to  a  set  of  E  is  often  much  larger  than 
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£.  If  the  Knuth-Bendix  procedure  terminates  with  success  it  generates  a  set 
of  rewrite  rules  that  completely  canonicalize  expressions  relative  to  the  given 
equations;  by  canonicalizing  expressions  one  can  determine  if  two  terms  can 
be  proven  equal  from  the  original  set  of  equations.  Unfortunately,  however, 
the  Knuth-Bendix  procedure  does  not  always  succeed;  it  can  either  terminate 
in  failure  or  fail  to  terminate. 

The  Knuth-Bendix  procedure  has  been  used  extensively  in  system  which 
manipulate  equational  specifications  of  computer  programs  and  equational 
programming  languages  [Kapur  et  al.  86]  [Lescanne  86]  [Huet  86].  These 
systems  are  based  on  an  equational  view  of  programming  in  which  computer 
data  structures  are  viewed  as  terms  constructed  from  atomic  symbols  (Lisp 
atoms)  and  “data  constructor  functions”  such  as  the  Lisp  function  CONS.  Re¬ 
cursive  functions  can  be  defined  via  equations  involving  the  defined  function 
symbols  [Guttag  &  Horning  78]  [O'Donnell  85]. 

The  Knuth-Bendix  procedure  can  also  be  used  to  generate  “induction 
arguments”  of  the  type  performed  by  the  Boyer-Moore  theorem  prover  [Huet 
&  Hullot  83].  More  specifically,  consider  the  closed  (variable  free)  terms 
which  can  be  constructed  from  a  set  of  “atoms”  (constructor  functions  of  no 
arguments),  constructor  functions  (functions  such  as  CDNS  which  construct 
data  objects),  and  defined  functions.  A  “data  object”  is  a  term  with  no 
defined  functions.  Let  £  be  a  set  of  equations  which  defines  the  defined 
function  symbc’j  as  operations  on  the  data  objects,  i.e.  no  two  data  objects 
can  be  proven  equal  from  E  and  every  closed  term  involving  defined  functions 
can  be  proven  (under  E)  to  be  equal  to  some  data  object.  Now  suppose  we 
wish  to  prove  some  equation  s  =  t  where  s  and  t  are  distinct  terms  involving 
defined  functions  and  free  variables.  For  example  the  equation  s  —  t  might 
state  the  associativity  of  the  APPEND  function  on  lists.  The  equation  s  =  t 
holds  in  the  data  object  universe  just  in  case  there  is  no  counter  example, 
i.e.  no  ground  variable  substitution  <r  such  that  cr(s)  denotes  a  different 
data  object  from  <r(t).  If  there  exists  a  counter  example  to  the  equation 
s  =  t  then  adding  this  equation  to  E  would  allow  one  to  prove  an  equation 
between  two  distinct  data  objects.  The  Knuth-Bendix  procedure  can  be  used 
(in  some  cases)  to  convert  E  U  {s  =  t)  to  a  complete  set  of  rewrite  rules. 
By  examining  this  set  of  rewrite  rules  it  is  possible  to  determine  whether 
EU  {s  =  t}  allows  one  to  prove  an  equation  between  distinct  data  objects.  If 
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such  equation  is  provable  then  the  equation  s  =  t  has  a  counter  example.  If 
no  such  equation  between  distinct  data  objects  is  provable  from  S  U  {s  =  £} 
then  the  equation  s  =  t  has  no  counter  examples  and  must  be  true  in  the 
data  object  universe.  In  general  it  may  be  possible  to  show  that  s  =  t  has 
counter  examples  at  an  intermediate  point  in  the  Knuth-Bendix  procedure; 
thus  a  complete  set  of  rewrite  rules  for  E  U  {s  =  f)  may  not  be  required. 

One  problem  with  the  Knuth-Bendix  procedure  however  is  the  need  for 
a  single  partial  order  on  all  expressions.  There  may  be  domain  specific  intu¬ 
itions  about  how  terms  should  be  rewritten  and  it  is  difficult  to  incorporate 
such  knowledge  into  a  single  uniform  term  ordering.  While  some  sophisti¬ 
cated  partial  orders  have  been  developed  [Dershowitz  79],  it  is  not  yet  clear 
whether  a  uniform  term  ordering  can  be  used  for  the  large  verifications  that 
have  been  done  with  the  Boyer-Moore  prover. 

Like  unification  research,  research  on  term  rewriting  systems  using  the 
Knuth-Bendix  mechanism  has  centered  on  the  notion  of  logical  completeness. 
There  are  many  equational  theories  E  with  an  undecidable  set  of  logical 
consequences  (an  undecidable  word  problem)  and  in  this  case  the  Knuth- 
Bendix  procedure  either  terminates  in  failure  or  fails  to  terminate.  In  systems 
based  on  the  Knuth-Bendix  procedure  it  is  not  clear  what  to  do  when  the 
procedure  fails.  Even  if  a  complete  set  of  reductions  is  found,  the  time 
required  to  perform  the  rewriting  may  be  prohibitively  large.  The  rigid 
framework  of  the  Knuth-Bendix  procedure  may  make  it  difficult  to  perform 
the  large  verifications  that  have  been  done  with  the  Boyer-Moore  prover;  it  is 
not  clear  that  a  Knuth-Bendix  based  system  could  verify  the  R$A  encryption 
algorithm  or  the  undecidability  of  the  halting  problem  as  has  been  done  with 
the  Boyer-Moore  system  [Boyer  h  Moore  84]  [Boyer  &  Moore  86]. 

Rewrite  systems  are  designed  to  handle  equational  theories.  The  Ontic 
system  handles  equality  with  its  congruence  closure  mechanism;  rewrite  rules 
are  not  used.  The  congruence  closure  mechanism  can  be  quite  powerful  in 
practice.  Figure  2.1  gives  an  example  of  an  ’nference  done  using  Ontic’s 
congruence  closure  mechanism.  Consider  a  distributive  lattice  with  a  least 
member  0  and  a  greatest  member  1  (a  lattice  with  a  least  and  greatest  mem¬ 
ber  is  called  bounded).  If  x  and  y  are  members  of  the  lattice  L  then  we  say 
that  x  and  y  are  complements  if  the  meet  of  x  and  y  is  0  and  the  join  of 
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(IN-CONTEXT  ((LET-BE  L  (AND-TYPE  DISTRIBUTIVE-LATTICE 

BOUNDED-LATTICE) ) 
(LET-BE  X  (IN-U-SET  L)) 

(PUSH-GOAL 

(AT-MOST-ONE  (COMPLEMENT-OF  X  L)))) 

(IN-CONTEXT  ((SUPPOSE  (EXISTS  (COMPLEMENT-OF  XL))) 
(LET-BE  Y1  (COMPLEMENT-OF  X  L)) 

(LET-BE  Y2  (COMPLEMENT-OF  XL))) 
(NOTE-GOAL) ) 

(NOTE-GOAL) ) 


Ontic  “sees”  this  theorem  using  its  congruence  closure  mechanism  as  follows: 


Vi  =  Vi  A  1 

=  yi  a  (j/2  v  x ) 

~  ( yi  A  y2)  v  (yx  A  x) 
=  (yi  A  y3)  V  0 
=  (yi  a  y2)  V  (ya  A  x ) 
=  ( J/2  A  Vi)  V  (j/2  A  x) 
=  1/2  A  (yi  V  x) 

=  y2  A  1 
=  V2 


A  previously  established  fact. 

Because  y2  is  a  complement  of  x. 

By  definition  of  a  distributive  lattice. 
Because  px  is  a  complement  of  x. 
Because  y2  is  a  complement  of  x. 
Because  A  is  commutative. 

By  definition  of  a  distributive  lattice. 
Because  is  a  complement  of  x. 
Because  y2  =  y2  A  1 


Figure  2.1:  A  statement  that  is  obvious  to  Ontic  but  not  obvious  to  people 


2.3.  INFERENCE  MECHANISMS  UNLIKE  ONTIC’S 


67 


x  and  y  is  1.  It  was  obvious  to  the  Ontic  interpreter  that  in  any  bounded 
distributive  lattice  a  given  member  x  has  at  most  one  complement.  Ontic’s 
proof  of  this  fact,  also  shown  in  figure  2.1,  uses  congruence  closure. 

Figure  2.1  shows  that  congruence  closure  is  a  powerful  technique  for  rea¬ 
soning  about  equality.  Because  Ontic  handles  equality  with  congruence  clo¬ 
sure  rather  than  rewrite  rules,  there  is  no  need  for  the  user  to  specify  rewrite 
directions  for  equations:  the  Ontic  system  can  handle  undirected  declarative 
equations.  The  value  of  declarative  as  opposed  to  procedural  representations 
is  discussed  in  more  detail  in  section  2.4.2. 


2.3.5  Natural  Deduction  Systems 

Natural  deduction  systems  are  based  on  “natural”  rules  of  inference.  A  given 
rule  says  that  a  goal  G  of  a  certain  form  can  be  proven  by  reducing  the  goal 
G  to  the  subgoals  Gx,Gi  ■  ■  -Gn.  Different  rules  provide  different  ways  of 
achieving  a  goal  where  the  success  of  any  one  rule  is  sufficient.  The  earli¬ 
est  natural  deduction  system  was  Newell,  Shaw  and  Simon’s  Logic  Theorist 
[Newell,  Shaw  &  Simon  57].  This  system  used  natural  deduction  rules  and 
backward  chaining  to  prove  theorems  in  Whitehead  and  Russell’s  Principia 
Mathematica.  Soon  after  the  construction  of  the  Logic  Theorist,  Gelernter 
constructed  his  program  for  finding  proofs  in  Euclidean  geometry  [Gelern¬ 
ter  59].  Gelernter’s  system  also  used  backward  chaining  and  natural  deduc¬ 
tion  rules  but  the  subgoals  were  pruned  by  the  use  of  a  diagram,  i.e.  a  model 
of  the  assumptions  in  the  proof.  If  a  subgoal  was  false  in  the  diagram  then 
the  system  could  infer  that  the  subgoal  could  not  be  achieved  and  thus  should 
be  abandoned. 

During  the  sixties  research  in  automatic  theorem  proving  focused  pri¬ 
marily  on  resolution  theorem  proving.  However,  during  the  early  seventies 
frustration  with  resolution  systems  lead  to  a  renewed  interest  in  natural  de¬ 
duction  systems  [Bledsoe  77].  Natural  deduction  systems  from  the  seventies 
include  [Bledsoe  71],  [Nevins  72],  [Bledsoe  et  al.  72],  [Reiter  73],  [Ernst  73], 
[Goldstien  73],  [Bledsoe  &  Bruell  73],  and  [deKleer  et  al.  77].  These  later 
natural  deduction  systems  often  used  resolution  as  a  subroutine  for  prov¬ 
ing  subgoals.  A  time  limit  was  imposed  on  resolution  proofs  to  force  the 
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resolution  theorem  prover  to  terminate  quickly  [Bledsoe  71]. 

One  of  the  major  problems  with  using  resolution  as  a  test  for  “obvious” 
subgoals  was  the  tendency  of  resolution  to  get  lost  when  it  was  given  too  many- 
initial  facts.  In  other  words  resolution  was  not  able  to  automatically  find  the 
relevant  facts  in  a  large  lemma  library.  As  Bledsoe  says  in  [Bledsoe  71]: 

One  of  the  more  serious  [problems  is  referencing].  The  com¬ 
puter  should  be  able  to  bring  to  bear  “all  it  knows”  (all  definition 
axioms  and  previously  proven  theorems)  . . .  But  if  one  attempts 
a  resolution  proof  on  a  large  number  of  formulas,  the  result  is  the 
production  of  a  glut  of  irrelevant  clauses  and  sure  failure,  even 
when  the  best  known  search  strategies  are  used.  Thus  the  crucial 
part  of  a  resolution  proof  is  the  selection  of  the  reference  theo¬ 
rems  by  the  human  user;  the  human,  by  this  one  action,  usually 
employs  more  skill  than  that  used  by  the  computer  in  the  proof. 

It  is  useful  to  remember  that  this  was  written  in  1971,  well  after  most  of 
the  refine  :ents  to  resolution  had  been  developed.  These  comments  about 
the  ineffectiveness  of  resolution  on  large  lemma  libraries  are  probably  as  true 
today  as  they  were  in  1971.  The  Ontic  interpreter  on  the  other  hand  seems 
to  handle  large  lemma  libraries  without  difficulty.  It  would  be  interesting  to 
reconstruct  these  old  natural  deduction  systems  using  the  Ontic  interpreter 
rather  than  resolution  to  test  for  obvious  subgoals. 

The  Seventies  also  saw  a  development  of  basic  natural  deduction  proof 
checking  systems  that  did  not  provide  much  automated  reasoning  support. 
For  example  McDonald  and  Suppes  developed  an  interactive  proof  checking 
system  for  teaching  an  introductory  logic  course  [McDonald  &  Suppes  84]. 
Richard  Weyhrauch  also  developed  the  FOL  system  for  checking  first  order 
logic  proofs  [Weyhrauch  77], 

While  the  FOL  system  does  not  provide  sophisticated  general  purpose 
theorem  proving,  it  does  provide  a  uniform  mechanism  for  associating  any 
given  predicate  or  function  symbol  with  a  computer  program  for  computing 
the  value  of  the  predicate  or  function  on  “semantic”  arguments.  It  seems  clear 
that  mathematical  verification  systems  could  benefit  from  the  addition  of 
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computational  oracles.  Along  with  procedures  for  basic  arithmetic  (addition 
multiplication  etc.)  one  can  imagine  incorporating  procedures  for  symbolic 
integration,  series  summation,  or  polynomial  manipulation.  No  attempt  has 
been  made  to  incorporate  such  features  into  the  Ontic  system. 

Procedural  attachment  is  part  of  a  general  focus  on  “metatheory"  within 
the  FOL  system  [Weyhrauch  SO].  While  procedural  attachment  has  clear 
potential  value,  I  think  the  emphasis  on  metatheory  is  misplaced.  There 
seems  to  be  a  fundamental  unity  in  all  mathematics;  there  is  no  fundamental 
distinction  between  “metamathematics” ,  number  theory,  graph  theory,  fi¬ 
nite  combinatorics,  or  real  analysis.  A  system  which  reason  about  numbers, 
graphs,  and  ordered  sets  can  just  as  easily  reason  about  formulas,  models, 
and  Tarskian  truth  functions. 

During  the  late  seventies  and  into  the  eighties  there  has  been  an  empha¬ 
sis  on  “programmable”  natural  deduction  systems.  These  systems  provide  a 
mechanism  for  adding  user  defined  inference  rules.  The  first  programmable 
natural  deduction  system  was  Edinburgh  LCF  [Gordon,  Milner  &  Wadsworth 
79].  A  more  recent  programmable  natural  deduction  system  is  the  Nupri  sys¬ 
tem  developed  by  Bates  and  Constable  [Constable  et  al.  86]  [Howe  86].  The 
Nupri  system  grew  out  of  research  in  interactive  verifications  systems  [Con¬ 
stable  et  al.  82]  and  their  use  in  teaching  formal  logic  and  formal  approaches 
to  program  verification.  The  Nupri  system  is  based  on  constructive  type 
theory  and  places  particular  emphasis  on  finding  constructive  proofs.  The 
system  provides  a  facility  for  converting  a  constructive  proof  that  a  certain 
number  exists  into  a  program  for  computing  that  number. 

Backward  chaining  natural  deduction  systems  use  rules  of  inference  to 
convert  a  given  goal  to  a  set  of  subgoals.  In  the  Nupri  system  the  user 
can  define  new  inference  rules,  or  “tactics”,  for  converting  a  goal  to  a  set  of 
subgoals.  When  a  tactic  replaces  a  goal  G  by  a  set  of  subgoals  G\,  G 2,  . . . 
Gn  the  tactic  must  construct  a  proof  showing  that  the  replacement  is  sound, 
i.e.  that  the  subgoals  G\,  G2,  . . .  Gn  imply  the  goal  G .  One  could  write  a 
tactic  for  showing  that  any  given  set  S  is  a  subset  of  U  by  supposing  that 
S  is  non-empty  and  then  considering  an  arbitrary  member  of  S.  One  could 
then  use  this  tactic  as  a  subroutine  and  write  another  tactic  for  showing  that 
two  sets  are  equal  by  showing  that  each  is  a  subset  of  the  other.  In  the 
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Ontic  system  one  has  to  repeat  this  style  of  argument  every  time  one  wants 
to  prove  set  equality.  It  seems  likely  that  tactics  could  be  used  in  the  Ontic 
system  to  reduce  the  length  of  machine  readable  proofs.  On  the  other  hand 
it  seems  likely  that  Ontic’s  object  oriented  inference  mechanisms  could  be 
used  to  reduce  the  length  of  proofs  in  the  Nuprl  system. 


2.4  Issues  in  Automated  Reasoning 


There  are  several  general  issues  involved  in  the  construction  of  proof  verifi¬ 
cation  systems.  First,  in  designing  a  verification  system  one  should  consider 
the  expressive  power  of  the  formal  language  involved.  Does  the  language 
allow  one  to  express  a  wide  variety  of  formal  concepts  and  arguments?  Sec¬ 
ond,  one  should  consider  the  extent  to  which  the  knowledge  base  contains 
procedural  as  opposed  to  declarative  information.  Procedural  information 
may  help  make  the  system  run  more  effectively  but  procedural  inlormation 
is  harder  to  construct  and  a  reliance  on  procedural  information  makes  au¬ 
tomatic  discovery  of  useful  information  more  difficult.  Third,  one  should 
consider  whether  the  system  should  rely  on  backward  or  forward  chaining. 
It  is  no*  clear  whether  forward  chaining  has  any  intrinsic  advantage  over 
backward  chaining  or  vice  versa.  In  both  cases  the  basic  problem  is  to  con¬ 
trol  the  generation  of  facts  or  subgoals.  Simplification  seems  to  be  effective 
as  a  guiding  principle  in  backward  chaining  while  focus  seems  to  be  effective 
as  a  guiding  principle  in  forward  chaining. 


2.4.1  Expressive  Power 

Some  very  restricted  formal  languages  have  tractable  inference  problems: 
there  exists  a  tractable  procedure  icr  determining  the  validity  of  any  state¬ 
ment  expressible  in  the  language.  Thus  there  seems  to  be  a  trade  off  between 
expressive  power  and  computational  tractability  in  knowledge  representation 
languages  [Levesque  &;  Brachinan  85] .  Hov  ever  this  “trade  off”  is  mislead¬ 
ing.  In  order  to  design  a  language  with  a  tractable  inference  problem  one 
must  design  a  language  in  which  hard  questions  can  not  be  asked.  But  this 
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does  not  produce  the  result  one  really  wants;  rather  them  making  it  easier 
to  answer  hard  questions,  limiting  the  expressive  power  of  a  language  simply 
makes  it  impossible  to  ask  hard  questions.  On  the  other  hand,  increasing 
the  expressive  power  of  the  reasoning  language  can  make  it  easier  to  reason 
about  hard  questions. 

Natural  mathematics  (mathematics  done  in  natural  language)  seems  to 
have  a  notion  of  “well  typed”  expressions.  For  example  consider  the  well 
typed  phrase 


“the  value  of  the  map  /  on  the  point  x” 


as  opposed  to  the  “garbled”  phrase 


“the  value  of  topological  space  X  on  the  point  x” 


The  notion  of  a  well  typed  natural  phrase  seems  to  correspond  to  the  notion 
of  a  well  typed  formal  expression.  Mathematicians  talk  about  groups,  rings, 
fields,  topological  spaces,  differentiable  manifolds,  groups  homomorphisms, 
differentiable  maps  and  much  more.  It  seems  that  in  natural  mathematics 
any  definable  set  (or  class)  can  be  used  as  a  type  in  determining  the  set  of 
well  typed  phrases.  Most  strongly  typed  formal  systems,  however,  do  not 
allow  arbitrary  predicates  to  be  used  as  types. 

In  designing  a  type  system  there  appears  to  be  a  trade  off  between  ex¬ 
pressive  power  and  computational  tractability.  One  can  ensure  co-^outa- 
tional  tractability  by  restricting  the  type  system  so  that  only  certai  ,imple 
predicates  can  be  used  as  types.  Restricted  type  systems  can  not  express  nat¬ 
ural  types  such  as  “prime  number”,  “symmetric  matrix”,  or  “transitive  re¬ 
duced  graph”.  While  the  inability  to  express  such  types  makes  type-checking 
tractable,  it  prevents  the  type-checking  process  from  even  attempting  to  ver¬ 
ify  certain  semantic  properties  of  programs.  It  seems  likely  that  one  could 
construct  a  quickly  terminating  type-checking  procedure  which  could  verify 
all  simple  types  and  could  also  verify  some  more  difficult  “semantic”  types. 
Restrictions  on  the  vocabulary  of  types  does  not  make  it  easier  to  answer 
hard  questions,  it  only  makes  hard  questions  impossible  to  ask. 
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2.4.2  Declarative  Representations 


Many  automated  inference  systems  require  every  declarative  fact  to  be  aug¬ 
mented  with  procedural  information:  information  about  how  the  declarative 
fact  is  to  be  used  in  the  inference  process.  Purely  declarative  facts,  facts  not 
augmented  with  procedural  instructions,  have  the  advantage  that  they  are 
easier  to  generate  —  it  seems  easier  for  people  to  write  down  a  set  of  purely 
declarative  facts  than  to  write  down  both  the  declarative  facts  and  additional 
information  about  how  those  facts  are  to  be  used.  The  ease  of  generating 
purely  declarative  facts  may  be  particularly  important  in  discovery  systems 
—  systems  which  automatically  generate  new  lemmas.  The  task  of  discover¬ 
ing  and  using  new  facts  is  easier  if  one  does  not  have  to  specify  procedural 
information  each  time  a  new  fact  is  discovered. 

Unfortunately,  purely  declarative  facts  have  the  disadvantage  that  they 
are  more  difficult  to  compute  with.  Ketonen  has  discussed  the  difficulty  of 
constructing  effective  theorem  provers  that  use  purely  declarative  informa¬ 
tion  [Ketonen  84],  In  supporting  the  use  of  procedural  information  Ketonen 
considers  the  following  formula: 


P(x)  =>  A  =  B 


He  argues  that  there  is  no  single  way  to  use  this  formula  and  lists  the  following 
possible  procedural  interpretations: 


1.  Replace  P(x)  =$■  A  =  B  by  true  whenever  it  appears. 

2.  Replace  A  —  B  by  true  if  one  can  prove  P{x )  in  the  current  situation. 

3.  Replace  P(x)  by  false  if  one  can  prove  B. 

4.  Replace  A  by  B  whenever  one  can  prove  P{x). 

5.  Replace  B  by  A  whenever  one  can  prove  P{x). 

6.  Replace  A  by  B  whenever  one  can  prove  P{x)  but  not  in  terms  resulting 
from  this  substitution. 
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Ketonen  argues  that  one  must  choose  between  the  above  procedural  inter¬ 
pretations.  Interpretations  (4)  and  (5)  seem  opposite  in  intent.  Furthermore 
formulas  involving  quantifiers  would  have  an  even  greater  number  of  different 
interpretations.  Ketonen  concludes  that  the  user  must  specify  how  formulas 
are  to  be  used. 

It  seems  that  Ketonen’s  difficulty  with  purely  declarative  representation 
comes  from  his  commitment  to  rewrite  systems.  Ontic’s  inference  mechanism 
effectively  uses  intei1  ’tations  (1)  through  (5)  simultaneously.  Replacing  a 
formula  $  by  true  in  a  rewrite  system  is  analogous  to  putting  the  label  true 
on  the  node  for  $  in  the  Ontic’s  marker  propagation  mechanism.  In  the  On- 
tic  system  Boolean  constraint  propagation  handles  the  procedural  interpre¬ 
tations  (1)  through  (3)  above.  In  the  Ontic  system  equalities  between  nodes 
are  represented  by  giving  those  nodes  the  same  color  label.  This  representa¬ 
tion  of  equality  together  with  the  congruence  closure  mechanism  effectively 
handles  both  procedural  interpretations  (4)  and  (5).  The  6th  procedural  in¬ 
terpretation  seems  a  little  strange  and  is  not  handled  in  the  Ontic  system  — 
congruence  closure  effectively  performs  all  substitutions. 

One  of  the  primary  features  of  the  Knuth-Bendix  procedure  is  that  equa¬ 
tions  are  automatically  converted  to  rewrite  rules  using  a  single  partial  order 
that  is  defined  for  all  terms.  Thus,  once  the  partial  order  has  been  defined, 
purely  declarative  equations  are  automatically  given  procedural  interpreta¬ 
tions.  However  the  Knuth-Bendix  procedure  is  not  guaranteed  to  succeed:  it 
may  terminate  without  producing  a  complete  set  of  rewrite  rules  or  it  may 
run  forever  in  attempting  to  generate  such  a  set.  Furthermore,  because  the 
Knuth-Bendix  procedure  produces  rewrite  rules,  it  must  choose  either  proce¬ 
dural  interpretation  (4)  or  interpretation  (5)  —  the  Ontic  system  effectively 
does  both  simultaneously.  The  effectiveness  of  the  Knuth-Bendix  procedure 
in  large  verification  applications  has  not  yet  been  established. 

Further  experimentation  is  needed  to  see  if  systems  which  use  purely 
declarative  information,  such  as  Ontic,  can  be  made  as  effective  as  systems 
which  are  based  on  rewrite  rules,  such  as  the  Boyer-Moore  theorem  prover. 
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2.4.3  Forward  Chaining 

Forward  chaining  systems  start  with  a  set  of  premises  and  derive  conclusions 
from  those  premises.  Backward  chaining  systems  start  with  a  goal  and  reduce 
that  goal  to  subgoals.  It  is  not  clear  whether  forward  chaining  has  any 
intrinsic  advantage  over  backward  chaining  or  vice  versa.  In  both  cases  the 
basic  problem  is  to  control  the  generation  of  facts  or  subgoals.  Both  forward 
chaining  and  backward  chaining  systems  can  become  swamped  in  a  sea  of 
derived  facts  or  derived  subgoals.  Certain  sources  of  guidance  seem  to  work 
for  backward  chaining  and  other  sources  of  guidance  seem  to  work  for  forward 
chaining. 

Simplicity  seems  to  work  as  a  guiding  principle  in  backward  chaining. 
Rewrite  systems  are  backward  chaining  because  they  start  with  the  expres¬ 
sion  to  be  proved  and  rewrite  that  expression  in  an  attempt  to  show  it  equiv¬ 
alent  to  the  constant  true.  Rewrite  systems  are  guided  by  some  notion  of 
simplicity:  a  goal  expression  is  always  replaced  by  a  simpler  goal.  The  notion 
of  simplicity  is  either  implicit  in  the  user  specified  rewrite  rules,  as  in  the 
Boyer-Moore  prover,  or  explicitly  defined  as  an  ordering  on  expressions,  as  in 
Knuth-Bendix  based  systems.  In  both  cases  however  a  notion  of  simplicity 
guides  the  generation  of  subgoals. 

Focus  seems  to  work  as  a  guiding  principle  in  forward  chaining.  Outic’s 
object  oriented  inference  mechanisms  are  guided  by  the  restriction  that  de¬ 
rived  facts  must  be  about  the  focus  objects.  A  similar  restriction  is  used 
in  other  forward  chaining  systems  such  as  Nevins’  geometry  theorem  prover 
[Nevins  74],  constraint  systems  such  as  Waltz  labeling  [Waltz  75],  and  con¬ 
straint  languages  such  as  that  described  by  Sussman  and  Steele  [Sussman  & 
Steele  80]. 

It  should  be  possible  to  integrate  both  backward  and  forward  chaining  in 
a  single  system.  In  such  a  system  simplification  should  be  used  as  a  guiding 
principle  in  backward  chaining  and  focus  should  be  used  as  a  guiding  principle 
in  forward  chaining. 


Chapter  3 

Ontic  as  a  Cognitive  Model 


One  can  attempt  to  evaluate  Ontic  as  a  model  of  human  mathematical  cog¬ 
nition  by  comparing  the  formal  “proofs”  that  are  acceptable  to  the  Ontic 
system  with  the  natural  language  proofs  that  are  acceptable  to  people.  There 
are  some  clear  differences  between  Ontic  proofs  and  natural  arguments.  In 
certain  cases  the  Ontic  system  can  verify  proof  steps  that  are  not  obvious 
to  people;  we  say  that  Ontic  exhibits  superhuman  performance.  In  other 
cases  there  are  statements  which  are  obvious  to  people  but  which  require 
multi-step  proofs  in  the  Ontic  system;  we  say  that  Ontic  exhibits  subhuman 
performance.  The  superhuman  performance  and  much  of  the  subhuman  per¬ 
formance  can  be  attributed  to  specific  computational  aspects  of  the  Ontic 
system. 

Ontic’s  congruence  closure  mechanism  provides  a  clear  example  of  su¬ 
perhuman  performance.  The  Ontic  system  can  use  its  congruence  closure 
mechanism  to  “see”  that  in  a  d  stributive  lattice  complements  are  unique. 
This  fact  is  not  obvious  to  people.  The  appendix  contains  several  examples  of 
superhuman  performance  based  on  congruence  closure.  All  of  the  exampies 
involve  lattice  theoretic  identities.  One  example  is  the  proof  of  de  Morgan’s 
laws  from  the  the  algebraic  axioms  for  a  Boolean  lattice. 

After  giving  examples  of  superhuman  inference  based  on  congruence  clo¬ 
sure,  a  very  fast  computationally  limited  architecture  is  proposed  for  mas- 
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sively  parallel  computation.  Boolean  constraint  propagation  can  be  easily 
implemented  in  this  massively  parallel  architecture  but  congruence  closure 
can  not.  Substitution  constraints  are  then  proposed  as  an  alternative  to  con¬ 
gruence  closure.  Substitution  constraints  perform  many  of  the  substitution 
inferences  normally  done  by  congruence  closure.  Furthermore,  substitution 
constraints  can  be  handled  by  Boolean  constraint  propagation  and  thus  can 
be  implemented  on  the  proposed  massively  parallel  architecture.  However, 
substitution  constraints  do  not  generate  the  given  examples  of  superhuman 
performance. 

Of  course  the  Ontic  system  also  exhibits  subhuman  performance.  Some 
cases  of  subhuman  Ontic  performance  can  be  traced  to  weaknesses  in  the 
lemma  library.  Several  proofs  could  be  shortened  by  adding  lemmas  which 
introduce  the  principle  of  duality  for  Boolean  lattices  and  the  algebraic  “def¬ 
inition”  of  a  lattice.  A  more  significant  set  of  examples  of  subhuman  Ontic 
performance  involve  mathematical  induction.  Although  the  Ontic  system 
can  be  used  to  verify  induction  arguments,  the  expansion  factor  is  large.  In 
natural  mathematics  induction  arguments  are  often  unstated  and  unnoticed 
even  though  people  understand  the  arguments  and  agree  to  their  validity. 
For  example  consider  a  graph  where  the  nodes  of  the  graph  are  colored  such 
that  any  two  nodes  with  an  arc  between  them  have  the  same  color.  Clearly 
if  nodes  n  and  m  have  different  colors  then  there  is  no  path  between  them  in 
the  graph.  To  verify  this  clear  and  obvious  fact  with  the  Ontic  system  would 
require  an  induction  ou  the  length  of  paths.  There  are  many  other  examples 
from  both  mathematics  and  common  sense  where  induction  arguments  seem 
to  be  carried  out  at  a  subconscious  level. 

Future  experimentation  will  certainly  turn  up  additional  ways  in  which 
the  Ontic  system  exhibits  subhuman  performance;  hopefully  examples  of  sub¬ 
human  performance  will  lead  to  the  discovery  of  additional  inference  mech¬ 
anisms  that  bring  the  system  closer  to  human  ability  in  verifying  natural 
arguments. 


3. 1 .  SUPERHUMAN  PERFORMANCE 


i  i 


3.1  Superhuman  Performance 


Congruence  closure  accounts  for  all  the  examples  of  superhuman  performance 
of  the  Ontic  system.  The  mathematical  development  given  in  the  appendix 
contains  six  examples  of  superhuman  performance  based  on  congruence  clo¬ 
sure.  All  of  these  examples  involve  reasoning  about  lattice  identities. 


3.1.1  Examples  of  Superhuman  Performance 

The  first  example  of  superhuman  Ontic  performance  is  the  proof  that  in 
a  distributive  lattice  complements  axe  unique.  This  example  is  given  in  chap¬ 
ter  2  and  is  discussed  in  more  detail  below.  The  second  example  is  the  proof 
of  de  Morgan’s  laws  for  complemented  distributive  lattices.  De  Morgan’s 
laws  are  straightforward  if  one  assumes  that  Boolean  operations  have  their 
standard  meaning  as  operators  on  sets,  or  equivalently,  if  Boolean  operations 
have  their  standard  meaning  as  operations  on  truth  functions.  However,  un¬ 
til  one  has  proven  the  Stone  representation  theorem  one  must,  consider  the 
possibility  that  there  exist  pathological  complemented  distributive  lattices  in 
which  the  Boolean  operations  can  not  be  viewed  as  operations  on  sets  or  as 
truth  functions.  The  Ontic  proof  of  de  Morgan’s  laws  and  an  analysis  of  that 
proof  are  shown  in  figure  3.1.  Given  several  previously  established  simple 
identities  for  Boolean  lattices  the  Ontic  system  immediately  “sees”  that  de 
Morgan’s  laws  axe  true  in  an  arbitrary  complemented  distributive  lattice. 

The  mathematical  development  in  the  appendix  also  contains  a  proof  that 
for  any  elements  x  and  y  of  a  complemented  distributive  lattice  the  following 
are  equivalent: 


1.  x  <  y 

2.  y*  <  x* 

3.  x  A  y*  =  0 

4.  x*  V  y  =  1 
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An  Ontic  Proof: 

(IN-CONTEXT  ((LET-BE  B  BOOLEAN-LATTICE) 
(LET-BE  X  (IN-U-SET  B)) 
(LET-BE  Y  (IN-U-SET  B)) 
(LET-BE  CX  (COMPLEMENT  X  B) ) 
(LET-BE  CY  (COMPLEMENT  Y  B)) 
(LET-BE  M  (MEET  X  Y  B)) 
(LET-BE  J  (JOIN  CX  CY  B))) 
(NOTE  (IS  J  (COMPLZMENT-OF  M  B)))) 


A  Corresponding  Natural  Argument: 

Let  x*  and  y"  be  the  complements  of  x  and  y  respectively.  Let 
m  be  the  meet  of  x  and  y  and  let  j  be  the  join  of  x'  and  y*.  We 
must  show  that  m  and  j  are  compliments,  i.e.  that  m  A  j  =  0 
and  mV  j  =  1.  This  can  be  done  as  follows: 


m  A  (x*  V  y*)  =  (m  A  x*)  V  (m  A  y“) 

=  ((x  A  x*j  A  y)  V  ((y  A  y*)  A  x) 
=  (0  A  y)  V  (0  A  x) 

=  0 


By  distributivity  of  A  over  V. 
By  assoc,  and  comm,  of  A. 
By  definition  of  complement. 
By  algebraic  properties  of  0. 


(x  A  y)  V  j  =(iV  j)  A  (y  V  j)  By  distributivity  of  V  over  A. 

=  (y'  V  (x'  V  x))  A  (x*  V  (y*  V  y))  By  assoc,  and  comm,  of  V. 
=  (y*  V  1)  V  (x*  VI)  By  definition  of  complement, 

=  1  By  algebraic  properties  of  1. 


Figure  3.1:  An  example  of  superauman  Ontic  performance. 
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The  Ontic  proof  of  the  equivalence  of  the  above  facts  is  done  by  showing 
that  1)  2)  =>  3)  =>  4)  1).  This  is  done  in  a  context  where  the  unique¬ 

ness  of  complements  and  de  Morgan’s  laws  have  already  been  established. 
For  each  implication  there  is  a  set  of  four  focus  objects  which  makes  the  im¬ 
plication  obvious  to  the  Ontic  system.  The  proof  of  each  implication  shows 
superhuman  performance  involving  congruence  closure. 


3.1.2  A  Very  Fast  Parallel  Architecture 

This  section  proposes  an  architecture  for  massively  parallel  computation  and 
argues  that,  unlike  Boolean  constraint  propagation,  congruence  closure  is 
difficult  to  implement  on  this  architecture.  1  People  make  truth  judgments 
about  obvious  statements  in  about  a  second.  Although  the  computation 
performed  by  neurons  is  not  well  understood,  it  is  clear  that  neurons  run  very 
slowly.  It  seems  likely  that  neurons  would  require  one  to  ten  milliseconds  to 
compute  the  logical  and  of  two  Boolean  signals.  If  people  are  computing 
truth  judgments  with  Boolean  circuitry,  and  if  the  gate  delay  for  neuronal 
hardware  is  on  the  order  of  one  to  ten  milliseconds,  then  people  make  truth 
judgments  about  obvious  statements  in  100  to  1000  gate  delays.  Computing 
complex  truth  judgments  in  only  100  to  1000  gate  delays  requires  massive 
parallelism. 

Consider  a  finite  state  machine  where  the  state  of  the  machine  at  time  i 
is  given  by  an  n-bit  bit  vector  Di.  The  state  transition  table  of  the  machine 
can  be  given  by  a  Boolean  circuit  $  of  n  inputs  and  n  outputs  where  the 
state  transitions  of  the  machine  are  governed  by  the  equation 

A+i  =  *{Di) 

To  make  the  finite  state  machine  run  quickly  the  Boolean  circuit  $  should 
have  low  depth,  say  ten  gates.  If  $  has  depth  ten  then  a  state  transition  can 

*It  is  easy  to  show  that  Boolean  constraint  propagation  is  polynomial  time  complete 
and  thus  “unparallelizable”;  the  worst  case  running  time  on  a  parallel  machine  is  linear  in 
the  size  of  the  graph.  In  many  cases  however,  a  parallel  implementation  would  run  much 
faster  than  a  serial  implementation;  a  parallel  implementation  runs  in  time  proportional  to 
the  longest  single  inference  chain  while  a  serial  implementation  runs  in  time  proportional 
to  the  total  number  of  inferences. 
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be  computed  in  ten  gate  delays.  However,  the  bit  vector  defining  the  state 
of  the  machine  can  be  very  large:  millions  or  tens  cf  millions  of  bits,  and  the 
circuit  <5  can  involve  millions  or  tens  of  millions  of  gates. 

It  seems  possible  to  compile  an  Cntic  graph  structure  into  a  Boolean 
circuit  governing  a  finite  state  machine.  More  specificly,  a  labeling  of  an  Ontic 
graph  could  be  encoded  in  the  state  bit  vector  of  the  machine.  The  basic 
inference  operations  on  graph  labels  could  be  incorporated  into  a  Boolean 
circuit  $  governing  state  transitions.  Two  bits  are  needed  for  each  formula 
node  to  represent  the  three  possible  labeling  states  of  the  node:  true,  false  and 
unknown.  Boolean  constraints  on  formula  nodes  could  be  compiled  directly 
in  the  structure  of  the  Boolean  circuit  $.  Every  node  in  an  Ontic  graph  is 
also  associated  with  a  color  label.  The  color  label  for  a  given  node  in  the 
graph  could  be  represented  with  a  set  of  bits  in  the  machine’s  state  vector. 
The  Boolean  circuit  governing  state  transitions  could  be  designed  in  such 
a  way  that  if  an  equation  node  became  true  then  the  color  labels  of  the 
equated  nodes  at  time  i  +  1  would  each  be  set  to  the  maximum  of  the  two 
labels  at  time  i.  In  this  way  the  color  labels  could  be  made  to  respect  the 
truth  of  equality  formulas.  With  the  exception  of  congruence  closure,  all  of 
the  inference  techniques  used  in  the  Ontic  system  seem  to  be  amenable  to  a 
massively  parallel  implementation  in  a  low-depth  Boolean  circuit  governing 
a  finite  state  machine. 

The  implementation  of  congruence  closure  described  in  chapter  5  uses  a 
hash  table  to  map  color  tuples  to  colors.  In  order  to  implement  a  hash  table 
one  needs  to  be  able  to  compute  memory  addresses  for  a  random  access 
memory.  I  don’t  see  any  way  of  implementing  parallel  access  to  a  large  hash 
table  in  a  low  depth  Boolean  circuit  governing  a  large  finite  state  machine. 

Congruence  closure  can  be  replaced  with  substitution  constraints  as  de¬ 
scribed  in  the  next  section.  Substitution  constraints  axe  Boolean  constraints 
involving  equality  formulas;  such  constraints  can  be  compiled  directly  into  a 
low-depth  Boolean  circuit  governing  a  finite  state  machine. 
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3.1.3  Substitution  Constraints 

Substitution  constraints  provide  an  alternative  to  congruence  closure  for  rea¬ 
soning  about  equality.  Substitution  constraints  rely  on  Boolean  constraint 
propagation’s  ability  to  handle  certain  equality  inferences.  Boolean  con¬ 
straint  propagation  ensures  a  simple  relationship  between  the  truth  of  equal¬ 
ity  formulas  and  the  color  labels  encoding  equivalence.  Boolean  constraint 
propagation,  however,  does  not  automatically  handle  the  substitution  of 
equals  for  equals;  in  the  Ontic  system  substitution  is  handled  by  congruence 
closure.  On  the  other  hand,  Boolean  constraint  propagation  can  be  made  to 
handle  substitution  by  adding  certain  Boolean  constraints  called  substitution 
constraints.  Boolean  constraint  propagation  with  substitution  constraints  is 
weaker  than  congruence  closure  in  that  it  generates  fewer  obvious  truths  in 
a  given  context. 

As  a  simple  example  of  a  substitution  constraint  consider  a  term  /(c) 
which  consists  of  an  operator  /  applied  to  a  specific  argument  c.  We  can 
assume  that  the  operator  /  is  defined  on  objects  of  a  certain  type  r  and  that 
c  is  an  instance  of  r.  Suppose  that  g  is  a  generic  individual  of  type  r.  To 
ensure  that  inheritance  works  properly  one  can  add  the  Boolean  constraint 

9  =  c  =►  fid)  =  /(c) 

Now  if  the  system  ever  generates  a  binding  g  *-*  c  then  g  and  c  will  get 
the  same  color  label  and  Boolean  constraint  propagation  will  ensure  that 
the  equation  g  =  c  gets  labeled  true  and  thus,  by  the  above  substitution 
constraint,  the  equation  f(g)  =  /(c)  will  be  labeled  true.  Independent  of 
congruence  closure,  if  f(g)  has  the  same  color  label  as  /(c)  then  certain  facts 
about  f{g)  can  be  inherited  by  /(c).  For  example  if  f(g)  is  known  to  be 
an  instance  of  a  type  cr  then  /(c)  will  also  be  known  to  be  an  instance  of 
the  type  a.  Thus  the  above  Boolean  constraint  allows  the  binding  g  c  to 
cause  c  to  inherit  facts  that  are  stated  in  terms  of  g. 

Substitution  constraints  can  be  used  to  perform  inferences  based  on  the 
substitution  of  equals  for  equals.  Suppose  that  c  is  known  to  be  equal  to 
6  and  consider  the  terms  /(c)  and  f(b).  Furthermore  assume  the  graph 
structure  underlying  Boolean  constraint  propagation  includes  the  following 
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substitution  constraints 


g  =  c  =>  f(g)  =  f(c) 
g  —  b  =>  f{g)  =  f(b) 

Now  suppose  that  the  system  focuses  on  c  and  generates  the  binding  g  i— >■  c. 
Since  c  and  b  are  known  to  be  equal,  the  nodes  for  g,  c,  and  b  will  all  get  the 
same  color  label.  Thus  the  equations  g  =  c  and  g  =  b  will  become  true.  Thus 
both  the  equations  f(g)  —  /(c)  and  f(g)  =  f(b)  will  become  true  and  the 
nodes  for  f{g),  f(c)  and  f(b)  will  all  get  the  same  color  label.  Thus  focusing 
on  c  causes  the  system  to  deduce  that  /(c)  equals  /(&).  This  scheme  foi 
handling  substitution  of  equals  for  equals  via  substitution  constraints  can  be 
suitably  generalized  to  handle  operators  of  more  them  one  argument. 

Unlike  congruence  closure,  substitution  constraints  combined  with  fo¬ 
cused  binding  and  Boolean  constraint  propagation  will  only  substitute  equals 
for  equals  when  the  expressions  being  substituted  for  are  focus  objects.  All 
of  the  examples  of  superhuman  Ontic  performance  involve  substitutions  of 
non-focused  expressions. 


3.1.4  Superhuman  Performance  Re-Examined 

It  is  important  to  note  that  the  scheme  for  equality  inference  based  substitu¬ 
tion  constraints  is  not  as  powerful  as  the  full  congruence  closure  mechanism. 
More  specifically,  using  substitution  constraints  the  substitution  of  equals  for 
equals  cam  only  be  done  when  the  substituted  expressions  are  equal  to  some 
focus  object.  All  of  the  examples  of  superhuman  performance  discussed  above 
involve  substitution  for  non-focused  objects.  For  example  consider  the  proof 
shown  in  chapter  2  that  in  a  distributive  lattice  complements  are  unique. 
The  uniqueness  of  complements  is  obvious  to  the  Ontic  system. 

Figure  2.1  in  chapter  2  shows  the  Ontic  “proof”  that  complements  are 
unique  together  with  an  expanded  derivation  showing  how  the  Ontic  system 
proved  that  if  yi  and  y2  are  both  complements  of  x  then  y\  must  equal  y2. 
The  second  line  in  the  expanded  derivation  is  derived  by  replacing  1  with 
(y2  V  a:)  even  though  neither  1  nor  ( y2  V  x)  is  a  focus  object.  If  congruence 
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inference  required  focusing  on  the  substituted  expression  then  the  second  line 
could  only  be  derived  by  focusing  on  V  x.  Similarly,  line  four  is  derived  by 
substituting  0  for  jq  A  x  even  though  y\  A  x  is  not  a  focus  object.  Lines  five 
and  seven  also  involve  substitution  for  non-focused  expressions. 

Even  the  weaker  scheme  based  on  substitution  constraints  could  prove 
that  complements  are  unique  m  a  single  inference  step  if  the  system  focused 
on  x,  yi,  j/2,  ^2  V  x,  yi  A  x,  y2  A  x  and  yi  V  x  all  at  the  same  time.  However, 
it  seems  that  people  have  a  hard  time  focusing  on  seven  objects  simultane¬ 
ously.  The  ability  of  the  Ontic  system  to  focus  on  a  large  number  of  objects 
simultaneously  is  perhaps  another  source  of  superhuman  performance. 


3.2  Subhuman  Performance 


Some  proofs  in  the  appendix  exhibit  subhuman  performance  which  can  be 
attributed,  at  least  in  part,  to  weaknesses  in  the  lemma  library.  Other  ex¬ 
amples,  not  given  in  the  appendix,  indicate  weaknesses  in  the  fundamental 
inference  architecture.  It  is  hoped  that  examples  of  subhuman  performance 
lead  to  new  inference  techniques  which  increase  the  usefulness  of  verification 
systems. 


3.2.1  Weaknesses  in  the  Lemma  Library 

The  lemma  library  developed  in  the  appendix  does  not  include  a  duality 
principle  for  Lattices.  Given  an  appropriate  duality  principle  the  proof  of 
any  identity  in  lattice  theory  would  lead  immediately  to  a  proof  of  the  dual 
identity.  For  example  consider  de  Morgan’s  laws.  A  first  de  Morgan  law  can 
be  phrased  as  follows. 

(i  Vy)*  =  r"  '  yM 

A  second  de  Morgan’s  law  can  be  derived  frc.  he  first  via  a  duality  principle 
for  Boolean  lattices:  the  result  of  switching  V  and  A  (and  1  and  0)  in  any 
Boolean  lattice  identity  leads  to  another  Boolean  lattice  identity.  Given  the 
duality  principle  for  Boolean  lattices  the  validity  of  the  above  de  Morgan  law 
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leads  immediately  to  the  validity  of  the  dual  law: 

(x  A  y)m  -  xm  V  y* 

One  could  incorporate  the  duality  principle  into  the  Ontic  system  by  defining 
the  dual  of  a  lattice.  Given  any  fault c  'or  any  partial  order)  the  dual  of  the 
lattice  is  defined  to  be  that  lattice  which  has  the  same  elements  but  in  which 
the  partial  order  has  been  reversed.  Using  the  Ontic  system  one  could  easily 
define  a  function  which  mapped  any  lattice  to  its  dual  lattice.  Furthermore 
one  could  prove  that  if  L'  is  the  dual  of  a  Boolean  lattice  L  then  L'  is  a 
Boolean  lattice  such  that  the  meet  operation  in  L'  equals  the  join  operation 
in  X,  the  join  operation  in  U  equals  the  meet  operation  of  X,  and  L'  has 
the  same  complement  operation  as  L.  Given  a  Boolean  lattice  identity  /  one 
could  then  prove  that  the  dual  identity  l1  must  hold  in  an  arbitrary  Boolean 
lattice  L  by  considering  the  dual  lattice  L'  and  noting  that  I'  holds  in  L  just 
in  case  the  lattice  identity  /  holds  in  the  dual  L' . 

Another  example  where  standard  notions  could  be  added  to  the  lemma 
library  to  reduce  the  length  of  proofs  involves  the  algebraic  characterization 
of  a  lattice.  It  turns  out  that  the  partial  order  of  a  lattice  is  determined  by 
the  meet  and  join  operations  and  in  fact  one  can  define  a  Boolean  lattice 
to  be  a  set  together  with  meet,  join  and  complement  operations  that  satisfy 
certain  equational  axioms.  This  algebraic  view  of  a  lattice  is  described  in 
textbooks  on  lattice  theory  and  could  be  added  to  Ontic’s  lemma  library. 
The  algebraic  view  of  a  lattice  would  allow  a  shorter  machine  readable  proof 
of  one  of  the  lemmas  given  in  the  appendix.  More  specifically,  the  algebraic 
view  of  a  lattice  provides  a  short  proof  that  if  5  is  a  subset  of  a  Boolean  lattice 
L  such  that  5  is  closed  under  the  meet,  join  and  complement  operations  of 
L  then  the  set  S  together  with  the  partial  order  of  L  restricted  to  S  forms  a 
lattice  with  the  same  lattice  operations  as  L. 

3.2.2  Mathematical  Induction 

The  clearest  examples  of  subhuman  behavior  on  the  part  of  the  Ontic  system 
involve  mathematical  induction.  Many  common  sense  inferences  appear  to 
involve  induction.  Consider  the  following  examples: 
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•  Consider  a  colored  graph  in  which  adjacent  nodes  have  the  same  color, 
i.e.  if  there  is  an  arc  between  nodes  n  and  m  then  n  and  m  have  the 
same  color.  If  nodes  n  and  m  have  different  colors  then  there  is  no  path 
between  them  in  the  graph.  A  formal  proof  requires  induction  on  the 
length  of  paths  in  the  graph. 

•  Consider  a  chess  board.  The  white  pawns  start  on  the  second  rank  and 
never  move  backward.  Therefore  no  white  pawn  can  ever  appear  oil 
the  first  rank.  A  formal  proof  of  this  statement  requires  induction  on 
the  number  of  steps  in  the  game. 

•  Consider  two  containers  for  holding  marbles.  Initially  each  container  is 
empty.  Marbles  are  then  placed  in  the  containers  in  pairs;  one  marble 
from  each  pair  is  placed  in  each  container.  No  matter  how  many  times 
this  is  done,  assuming  the  containers  do  not  overflow,  there  will  be 
the  same  number  of  marbles  in  each  container.  A  formal  proof  of  this 
statement  requires  an  induction  on  the  number  of  marbles  placed  in 
the  containers. 

•  Consider  Rubic’s  cube.  Suppose  the  cube  starts  in  a  solved  position 
and  is  scrambled  by  some  number  of  rotations  of  faces  of  the  cube. 
There  exists  a  set  of  steps  that  unscrambles  the  cube.  A  formal  proof 
of  this  statement  requires  an  induction  on  the  number  of  rotations  used 
to  scramble  the  cube. 

•  Consider  a  mouse  running  in  a  maze.  Suppose  the  maze  is  arranged 
inside  a  box  such  that  there  are  no  openings  in  the  walls  of  the  box 
and  the  mouse  can  not  jump  over  the  walls.  No  matter  how  long  the 
mouse  runs,  and  no  matter  where  it  goes  inside  the  maize,  the  mouse 
will  not  get  outside  the  box.  A  formal  proof  of  this  statement  requires 
induction  on  the  number  of  “moves”  the  mouse  makes  in  the  box. 


In  each  of  the  above  examples  the  conclusion  is  obvious  to  people.  In  each 
example,  if  the  concepts  involved  /ere  approximated  by  mathematically  pre¬ 
cise  notions,  then  any  mathematic  an  would  accept  the  conclusion  as  obvious 
and  would  not  ask  for  further  proof. 


'VVA'V" 
■/.v.v.V  * 


st 


S6 


CHAPTER  3.  OH  TIC  AS  A  COGNITIVE  MODEL 


Ontic  can  be  used  to  perform  induction  proofs.  However  induction  proofs 
must  be  done  explicitly:  one  must  explicitly  formulate  the  induction  hypoth¬ 
esis  and  explicitly  verify  the  induction  step.  For  example,  consider  verifying 
that  white  pawns  in  a  game  of  chess  can  not  get  to  the  first  rank.  This  fact 
can  be  verified  using  the  following  induction  principle  for  natural  numbers. 

(DEFTYPE  SET -0F-NATNUM3 
(LAMBDA  (<S  SET)) 

(IS -EVERY  (MEMBER-CF  S)  NATURAL-NUMBER))) 

(LEMMA 

(FORALL  ((S  SET-QF-NATNUMS)) 

(->  (AND  (IS  ZERO  (MEMBER-OF  S)) 

(FORALL  ((N  (MEMBER-QF  S))) 

(IS  (SUCCESSOR  N)  (MEMBER-OF  S)))) 

(IS-EVERY  NATURAL-NUMBER  (MEMBER-QF  S))))) 

The  above  induction  principle  says  that  if  a  set  S  contains  zero  and  is  closed 
under  successor  then  it  contains  all  numbers.  The  set  S  represents  an  induc¬ 
tion  hypothesis;  S  is  the  set  of  numbers  which  satisfy  the  hypothesis. 

In  the  chess  example  one  must  prove  that  white  pawns  never  end  up  on 
the  first  rank.  More  formally,  let  an  instance  of  the  type  CHESS-GAME  be 
a  particular  games  of  chess,  i.e.  a  particular  sequence  of  moves.  If  G  is  a 
particular  chess  game  and  N  is  some  natural  number  then 

(WHITE-PAWN-ON-BOARD  G  N) 

denotes  the  type  whose  instances  are  the  white  pawns  which  are  on  the  chess 
board  after  then  N’th  move  of  the  game  G.  We  let 

(RANK-OF  P  G  N) 

be  the  rank  occupied  by  the  pawn  P  immediate  after  the  N’th  move  of  the 
game  G.  Figure  3.2  contains  statements  which  follow  form  the  rules  of  chess. 
An  Ontic  proof  that  pawns  never  get  to  the  first  rank  is  given  in  figure  3.3. 
The  goals  in  the  proof  are  numbered  and  the  NOTE-GOAL  steps  are  labeled 
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(FORALL  ((G  CHESS-GAME) 

(N  NATURAL-NUMBER)) 

(IS -EVERY  (WHITE-PAWN-ON-BOARD  G  (SUCCESSOR  N) ) 
(WHITE-PAWN-ON-BOARD  G  N))) 

(FORALL  ((G  CHESS-GAME) 

(N  NATURAL-NUMBER) 

(P  (WHITE-PAWN-ON-BOARD  G  (SUCCESSOR  N)))) 

(IS  (RANK-OF  P  G  (SUCCESSOR  N)) 

(GREATER-OR-EQUAL-TO  (RANK-OF  P  G  N)))) 

(FORALL  ((P  (WHITE-PAWN-ON-BOARD  G  ZERO))) 

(IS  (RANK-OF  P  G  ZERO) 

(EQUAL-TO  TWO))) 

Figure  3.2:  Statements  which  follow  from  the  rules  of  chess. 


with  the  numbs:  of  the  goal  being  noted.  The  proof  uses  the  facts  listed  in 
table  3.2  together  with  simple  facts  about  the  ordering  of  natural  numbers. 

The  proof  starts  by  considering  an  arbitrary  chess  game  G.  The  proof 
shows  that  the  following  induction  hypothesis  holds  for  any  number  N. 

(FORALL  ((P  (WHITE-PAWN-ON-BOARD  G  N) ) ) 

(IS  (RANK-OF  P  G  N) 

v. GREATER-OR-EQUAL-TO  TWO))) 

The  induction  principle  for  natural  numbers  states  that  if  a  set  of  numbers 
contains  zero  and  is  closed  under  successor  then  it  contains  all  numbers.  If 
the  induction  hypothesis  is  $(N)  then  one  should  consider  the  set  of  all  N 
such  that  $(N).  For  the  above  induction  hypothesis  one  should  consider  the 
following  set: 

(THE-SET-OF-ALL 

(LAMBDA  ((N  NATURAL-NUMBER)) 

(FORALL  ((P  (WHITE-PAWN-ON-BOARD  G  N))) 

(IS  (RANK-OF  P  G  N) 

(GREATER-OR-EQUAL-TO  TWO))))) 
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(IH-CONTEXT  ( (LET-BE  G  CHESS-GAME) 

(LET-BE  HYP-SATISFIERS 
(THE-SET-OF-ALL 

(LAMBDA  ((I  HATNUM)) 

(FORALL  ( (P  (WHITE-PAWN-ON-BOARD  G  N))) 

(IS  (RAHK-OF  P  G  H) 

(GREATER-OR-EQUAL-TO  TWO)))))) 

(PUSH-GOAL 

(IS-EVERY  NATURAL-NUMBER 

(MEMBER-OF  HYP-SATISFIERS))) )  ;#i 

(IN-CONTEXT  ((PUSH-GOAL 

(IS  ZERO  (MEMBER-OF  HYP-SATISFIERS))))  ;#2 
(IN-CONTEXT  ((LET-BE  ZEROVAR  ZERO)) 

(IN-CONTEXT  ((SUPPOSE 

(EXISTS-SOME  (WHITE-PAWN-CN-BOARD  G  ZERO))) 
(LET-BE  P  (WHITE-PAWN-ON-BOARD  G  ZERO)) 

(LET-BE  TWOVAR  TWO)) 

(NOTE-GOAL))  ;#2 
(NOTE-GOAL)))  ;#2 
(IN-CONTEXT  ( ( PUSH-GOAL 

(FORALL  ((H  (MEMBER-OF  HYP-SATISFIERS))) 

(IS  (SUCCESSOR  N)  (MEMBER-OF  HYP-SATISFIERS))))  ;#3 
(LET-BE  SATISFIER  (MEMBER-OF  HYP-SATISFIERS)) 

(LET-BE  NEXT-SATISFIER  (SUCC  SATISFIER))) 

(IN-CONTEXT  ((PUSH-GOAL 

(FORALL  ((P  (WHITE-PAWN-ON-BOARD  G  NEXT-SATIFIER) ) ) 
(IS  (RANK -OF  P  G  NEXT-SATISFIER) 

(GREATER-OR-EQUAL-TO  TWO)))))  ;#4 
(IN-CONTEXT  ((SUPPOSE 

(EXISTS-SOME 

(WHITE-PAWN-ON-BOARD  G  NEXT-SATISFIER))) 

(LET-BE  P  (WHITE-PAWN-ON-BOARD  G  NEXT-SATISFIER)) 
(LET-BE  R1  (RAHK-OF  P  G  SATISFIER)) 

(LET-BE  R2  (RAHK-OF  P  G  NEXT-SATISFIER)) 

(LET-BE  TWOVAR  TWO)) 

(NOTE-GOAL))  ;#4 
(NOTE-GOAL))  ;#4 
(NOTE-GOAL))  ;#3 

(IN-CONTEXT  ((LET-BE  N  (MEMBER-OF  HYP-SATISFIERS))) 

(NOTE  (IS  HYP-SATISFIERS  SET-OF-NATNUM))) 

(NOTE-GOAL))  ;#i 

Figure  3.3:  The  proof  that  white  pawns  never  get  to  the  first  rank. 
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3.2.  SUBHUM  AX  PERFORM  A  XCE 

The  Ontic  proof  in  figure  3.3  focuses  on  che  set  representing  the  induction 
hypothesis.  It  then  proceeds  to  prove  the  base  case  and  induction  step.  The 
base  case  uses  the  fact  that  the  rank  of  a  white  pawn  at  time  zero  equals 
two  and  every  number  is  greater  than  or  equal  to  itself.  In  order  to  apply 
the  fact  that  every  number  is  greater  than  equal  to  itself  one  must  focus  on 
the  number  two.  The  induction  step  uses  the  fact  that  the  rank  of  the  pawn 
at  time  n  is  greater  or  equal  to  two  and  the  rank  of  the  pawn  at  time  n  +  1 
is  greater  or  equal  to  the  rank  at  time  n.  To  invoke  the  transitivity  of  the 
ordering  on  natural  numbers  one  must  focus  on  the  three  numbers  given  by 
the  rank  of  pawn  at  times  n  and  n  +  1  together  with  the  number  two. 

The  proof  shown  in  figure  3.3  is  clearly  much  longer  than  a  natural  lan¬ 
guage  argument  which  simply  states  that  white  pawns  never  get  to  the  first 
rank.  This  example  indicates  that  without  additional  theorem  proving  mech¬ 
anisms  the  Ontic  system  will  exhibit  a  large  expansion  factor  on  many  in¬ 
duction  proofs. 

One  possible  mechanism  for  reducing  the  expansion  factor  in  induction 
proofs  would  be  a  backward  chaining  procedure  (a  tactic)  for  automatically 
generating  proofs  such  as  the  one  shown  in  the  figure  3.3.  It  would  be  easy 
to  automatically  convert  the  induction  hypothesis  into  a  set  of  numbers  and 
automatically  focus  on  that  set  of  numbers.  Furthermore  one  could  auto¬ 
matically  attempt  to  prove  the  base  and  induction  cases  of  the  argument. 
As  figure  3.3  shows  however,  proving  the  base  and  induction  cases  with  the 
Ontic  system  may  require  focusing  on  additional  objects.  In  figure  3.3  the 
user  focuses  on  an  arbitrary  white  pawn  and  the  number  two.  In  the  induc¬ 
tion  case  the  user  focuses  on  the  rank  of  the  pawn  at  two  different  times.  It 
seems  that  it  might  be  difficult  to  automatically  generate  these  additional 
focus  objects. 

Several  automated  inference  systems  include  inference  mechanisms  for 
handling  mathematical  induction  [Boyer  k  Moore  79]  [Huet  k  Hullot  83] 
[Ketonen  84].  Research  is  needed  to  determine  if  these,  or  other,  induction 
mechanisms  can  be  incorporated  into  the  Ontic  system.  These  inference 
mechanisms  are  all  backward  chaining;  the  induction  hypothesis  is  taken 
from  the  goal  statement.  It  would  be  interesting  to  see  if  some  forward 
chaining  induction  mechanism  could  be  found  that  was  more  in  the  spirit  of 
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Ontic’s  forward  chaining  inference  techniques. 

It  might  be  possible  to  construct  a  forward  chaining  induction  mechanism 
as  part  of  Ontic’s  classification  process.  Recall  that  classification  involves  as¬ 
signing  a  set  of  types  to  each  focus  object.  Consider  a  focus  object  r(n.)  that 
involves  an  arbitrary  number  n  and  consider  a  type  r.  It  may  be  possible  to 
prove  that  the  focus  object  r(n)  is  an  instance  of  the  type  r  via  induction 
on  the  number  n.  More  specifically,  the  system  could  show  that  r(0)  is  an 
instance  of  r  and  that  if  r(n)  is  an  instance  of  r  then  r(n  +  1)  is  an  instance 
of  r.  In  the  chess  example  the  focus  object  r(n)  would  be  (RANK-OF  P  G  N) 
where  P  is  an  arbitrary  instance  of  (WHITE-PAWN-ON-BOARD  G  N).  In  the 
chess  example  the  system  would  classify  the  object  (RANK-OF  P  G  N)  to  be 
an  instance  of  the  type  (GREATER-OR-EQUAL-TD  TWO).  This  example  shows 
that  classification  could  be  made  more  powerful  by  vncorperating  an  induc¬ 
tion  mechanism. 

The  desire  to  have  a  system  which  can  verify  proofs  at  a  human  level 
of  detail,  together  with  examples  of  powerful  human  inference  involving  in¬ 
duction,  provides  a  motivation  for  finding  powerful  induction  mechanisms. 
Hopefully  an  induction  mechanism  can  be  found  which  allows  the  above  ex¬ 
amples  to  be  machine  verified  at  a  human,  or  near-human,  level  of  detail. 
Similarly,  it  is  hoped  that  other  examples  of  subhuman  system  performance 
will  lead  to  the  discovery  of  more  powerful  inference  mechanisms. 


Chapter  4 

Quantifier  Free  Inference 


Each  context  in  the  Ontic  system  is  specified  by  a  lemma  library,  a  set  of  focus 
objects,  and  a  set  of  assumptions.  Given  a  lemma  library,  an  assumption 
set,  and  a  focus  set  the  Ontic  system  uses  focused  forward  chaining  inference 
mechanisms  to  generate  a  set  of  “obvious  truths”  for  the  given  context.  In 
any  given  context  the  operations  NOTE  and  NOTE-GOAL  can  be  used  to  make 
permanent  additions  to  the  lemma  library. 

Each  lemma,  focus  object  and  assumption  is  an  expression  in  the  for¬ 
mal  language  Ontic.  Rather  than  manipulate  Ontic  expressions  directly,  the 
Ontic  system  compiles  these  expressions  into  graph  structure  where  there  is 
a  one  to  one  correspondence  between  graph  nodes  and  Ontic  expressions. 
Compilation  and  inference  are  separate  processes;  compilation  generates  a 
graph  structure  and  inference  manipulates  graph  labelings  without  creating 
additional  graph  structure.  For  efficiency  reasons  the  graph  constructed  by 
the  Ontic  system  is  saved  and  used  repeatedly  in  many  different  contexts. 

In  the  Ontic  system  the  current  context  is  specified  by  mcrementally 
adding  and  removing  .  appositions  and  focus  objects.  The  system  maintains 
a  stack  discipline  with  respect  to  the  addition  and  removal  of  focus  objects: 
the  last  supposition  or  focus  object  added  must  be  the  first  one  removed.  The 
graph  labeling  of  a  given  context  is  determined  by  the  lemma  library,  focus 
objects  and  suppositions;  the  graph  labeling  does  not  depend  on  how  the 
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context  was  constructed.  Labelings  can  be  computed  incrementally  however. 
When  a  focus  object  or  supposition  is  added  Ontic’s  inference  mechanisms 
extend  the  labeling  to  include  more  truth  labels  and  to  satisfy  more  equiv¬ 
alences.  The  system  also  maintains  an  “undo  list”  so  that  when  a  focus 
object  or  supposition  is  removed  the  previous  context  can  be  restored  and 
then  updated  to  reflect  additions  to  the  lemma  library. 

Chapters  6  and  7  specify  the  formal  language  Ontic  and  the  way  in  which 
the  graph  structure  is  generated  from  the  lemma  library.  This  chapter,  and 
the  one  that  follows,  specify  the  formal  structure  of  the  graph  and  the  mecha¬ 
nisms  for  labeling  that  graph.  The  graphs  constructed  by  the  Ontic  compiler 
have  five  different  kinds  of  nodes  and  nine  different  kinds  of  “links”  between 
nodes.  However,  this  chapter  discusses  only  those  kinds  of  nodes  and  links 
that  are  used  in  Boolean  constraint  propagation  and  congruence  closure. 
These  node  types  and  link  types  are  introduced  in  three  stages  by  defining 
three  progressively  more  sophisticated  types  of  graphs. 

The  first  two  sections  of  this  chapter  discuss  graph  structure  and  in¬ 
ference  mechanisms  that  are  relevant  to  Boolean  constraint  propagation. 
Boolean  constraint  propagation  is  responsible  for  enforcing  certain  Boolean 
constraints  on  formula  nodes  and  for  enforcing  certain  relationships  between 
truth  labels  of  equation  nodes  and  color  labels  representing  equivalences. 
Congruence  closure  ensures  that  the  color  labels  that  represent  equivalences 
respect  the  substitution  of  equals  for  equals. 


4.1  Boolean  Constraint  Graphs 


This  section  describes  Boolean  constraint  graphs  and  the  inference  mecha¬ 
nisms  that  apply  to  them.  Sections  4.1.2  and  4.1.3  can  be  safely  ignored  by 
readers  who  are  not  interested  in  correctness  proofs;  the  graph  structure  and 
inference  mechanisms  are  fully  specified  by  the  end  of  section  4.1.1. 

Boolean  constraint  graphs  are  a  very  simple  approximation  of  the  graphs 
produced  by  the  Ontic  compiler;  Boolean  constraint  graphs  have  only  a  single 
kind  of  node  and  a  single  kind  of  link.  The  nodes  represent  formulas  and 
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each  link  is  a  disjunctive  constraint  on  truth  values  assigned  to  the  nodes. 


Definition:  Let  .V*  be  a  set  of  formula  nodes.  A  literal over 
A’  is  either  a  node  n  in  A'  or  the  negation  ->n  of  some  node  n  in 

A*. 

A  clause  over  Ar  is  a  disjunction  of  the  form 

where  each  is  a  literal  over  .V. 

A  Boolean  constraint  graph  B  consists  of  a  set  of  formula  nodes 
and  a  set  of  clauses  over  those  nodes. 


The  Boolean  constraint  propagation  algorithm  manipulates  partial  truth 
labelings  of  Boolean  constraint  graphs.  More  specifically,  the  propagation 
algorithm  extends  partial  truth  labelings  in  a  manner  justified  by  the  clauses 
in  the  graph. 


Definition:  A  partial  truth  labeling  7  of  Boolean  constraint  graph 
B  is  a  partial  map  from  the  nodes  in  B  to  the  set  {true,  false); 
if  n  is  a  node  in  B  then  7(n)  is  either  true,  false  or  undefined. 

A  partied  truth  labeling  7  on  B  determines  a  partial  truth  labeling 
on  all  iiterals  'P  over  B  as  follows: 

{false  if  7(n)  =  true 
true  il‘7(n)  =  false 

undefined  if  7 (n)  is  undefined 


Each  clause  is  a  disjunction  of  the  form 


kV. 
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which  states  that  one  of  the  literals  must  be  true.  The  propagation  algorithm 
is  based  on  the  notion  of  a  unit  clause ;  Boolean  constraint  propagation  ex¬ 
tends  partial  truth  labels  by  identifying  unit  clauses  in  the  graph  structure. 
The  notion  of  a  unit  clause  is  defined  relative  to  the  partial  truth  labeling  7. 
Consider  a  clause  of  the  form 

Hi  V  *2  V  .  . 

and  a  partial  truth  label  7.  If  y('i'i)  is  false  then  the  above  clause  expresses 
the  constraint  that  one  of  the  other  literals  must  be  true.  In  general  one 
should  only  pay  attention  to  the  non-false  literals  in  a  clause.  A  clause  with 
only  a  single  non-false  literal  is  called  a  unit  clause. 

Definition:  A  clause  Hi  V  'P2  V  . . .  Hn  is  called  a  7 -unit-clause  if 
there  is  exactly  one  literal  H,  such  that  7(H,)  is  not  false.  The 
single  non-false  literal  is  called  the  unit  literal  of  the  clause. 

An  open  y -unit-clause  is  a  7-unit-clause  where  the  unit  literal  has 
no  truth  label  under  7,  i.e.  7(H)  is  undefined  for  the  unit  literal 
H. 

An  open  7-unit-clause  provides  grounds  for  extending  the  partial  truth 
labeling  7;  if  there  is  only  one  non-false  literal  in  a  clause  C  then  the  remain¬ 
ing  literal,  the  unit  literal  of  the  clause,  must  be  true.  Boolean  constraint 
propagation  uses  open  unit  clauses  to  extend  the  truth  labeling  until  either 
an  inconsistency  is  discovered  or  there  are  no  remaining  open  unit  clauses. 

Definition:  Let  B  be  a  Boolean  constraint  graph  and  let  7  be  a 
partial  truth  labeling  on  B. 

The  partial  labeling  7  will  be  called  B -inconsistent  if  there  is  some 
clause 

in  B  such  that  7(H,)  is  false  for  each  lite  Hi  in  the  clause.  If 
7  is  not  ^-inconsistent  we  say  that  7  is  S-consistent. 
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Let  $  be  any  literal  over  the  nodes  in  B  such  that  7($)  is  un¬ 
defined.  The  labeling  'y['&  :=  true]  is  the  partial  truth  labeling 
which  agrees  with  7  on  all  nodes  other  than  that  appearing  in 
and  such  that  -[ty  :=  truej('i')  ecmals  true.  7['?  :=  false]  is 
defined  similarly. 


Boolean  constraint  propagation  starts  with  an  arbitrary  partial  labeling 
-•  of  a  Boolean  constraint  graph  B  and  returns  a  new  partial  labeling  Sb{~i)- 
The  Boolean  constraint  propagation  procedure  can  be  defined  as  follows: 


Definition:  A  partial  truth  labeling  7  of  a  Boolean  constraint 
graph  B  is  called  normalized  if  either  it  is  ^-inconsistent  or  there 
are  no  open  unit  clauses  in  B  under  7. 

Procedure  for  Computing  .Yjj(7): 

If  7  is  normalized  then  return  7,  otherwise  choose  an  open  7-unit- 
clause  in  B  with  unit  literal  $  and  return  the  labeling  := 

true]}. 

Since  there  are  only  finitely  many  formula  nodes  in  C  the  partial  truth 
labeling  can  not  be  extended  indefinitely  and  the  recursion  in  the  above 
procedure  must  terminate.  Furthermore  the  labeling  returned  by  the  above 
procedure  is  always  normalized. 

The  normalization  of  a  labeling  of  a  Boolean  constraint  graph  involves 
inference.  If  a  labeling  7'  can  be  derived  via  a  single  inference  from  a  labeling 
7  then  we  write  7— 7'.  In  analyzing  Ontic’s  inference  mechanisms  the  one 
step  inference  relation  is  easier  to  think  about  than  the  normalization 
function  Sg.  More  formally,  for  any  Boolean  constraint  graph  B  the  relation 
—*B  is  defined  on  the  labelings  of  B  as  follows: 


Definition:  Let  7  and  7'  be  two  partial  truth  labelings  of  a 
Boolean  constraint  graph  B.  We  write  7  —*s  7*  if  7  is  5-consistent 
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and  7'  can  be  derived  in  a  single  unit  inference  from  7,  i.e.  if  there 
is  some  open  7-unit-clause  in  B  with  unit  literal  'P  and  such  that 
7'  equals  7  ['S’  :=  true]. 


The  relation  — ►  should  be  viewed  as  a  reduction  relation  analogous  to  re¬ 
duction  relations  in  the  lambda  calculus  or  term  rewriting  systems.  For  any 
labeling  7  of  B  the  normalized  labeling  Nq(^)  is  the  normalization  of  7  under 
the  reduction  relation  — . 


4.1.1  Compiling  Boolean  Combinations 

The  graph  structure  used  in  semantic  modulation  is  constructed  by  compiling 
expressions  in  the  Ontic  language;  the  compilation  process  translates  the 
Ontic  expressions  into  graph  structure.  The  utility  of  Boolean  constraint 
propagation  is  best  understood  in  light  of  this  compilation  process.  The 
full  Ontic  compiler  is  precisely  defined  in  chapter  7.  However  this  section 
describes  the  compilation  of  Boolean  combinations  of  formulas. 

The  compilation  process  converts  an  Ontic  formula  <f»  to  a  formula  node 
n*.  Certain  Ontic  formulas  are  associated  with  clauses  called  meaning  pos¬ 
tulates.  When  the  node  is  constructed  the  meaning  postulates  for  $ 
are  added  o  the  graph.  For  example  suppose  that  the  formula  ^  is  a 
Boolean  combination  of  the  formulas  0i  and  0j,  e.g.  $  might  be  the  formula 
(OR  0i  02).  The  meaning  postulates  for  $  are  clauses  that  relate  the  node 
n $  to  the  nodes  n©,  and  ne3.  The  exact  nature  of  the  clauses  relating  n$ 
to  n©i  and  n©2  depends  on  the  Boolean  connective  used  in  $.  Table  4.1 
shows  the  meaning  postulates  foi  the  Boolean  connectives  used  in  the  Ontic 
system. 

Boolean  constraint  propagation  generates  a  normalized  partial  truth  la¬ 
beling  cf  the  constraint  graph  generated  by  the  compilation  process.  If  the 
normalized  labeling  is  5-consistent  then  the  m*.  vning  postulates  for  Boolean 
connectives  ensure  certain  relationships  between  Boolean  formulas  and  their 
subformulas.  For  example  consider  the  following  meaning  postulate  for  im- 
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Formula  $ 

(AND  0!  02 ) 

COR  0i  02) 

(IMPLIES  0i  02) 

(IFF  0i  0:) 

(NOT  0) 

Table  4. 1 


Meaning  Postulates  for  n<$ 


"’rtdiD  ©,  e2)  V  nSl 
-,n(iiD  ©,  ©3)  V  n©2 
-irisj  V  -m©2  V  n<1ID  ©j  ©2) 

-■n©,  V  Ti(oi.  ©t  e2> 

->n©3  V  ri(0i  ©j  ea) 

-,U(o»  6i  ©2)  V  n&i  V  n©2 

-in©,  V  ucikplies  a,  g2) 

n©!  V  rc<  IMPLIES  ©!  ©2> 

“’W (implies  ©i  ©2>  V  ~| n©3  V  n©3 

",n<iFF  q1  s2)  V  -in©,  V  n©2 
-,n<IfT  ©j  ©2)  V  n©j  V  -inej 
->n©j  V  in©2  V  ndFF  ©j  e2) 
ft© i  V  n©3  V  ndFT  ©,  ©2) 


i.e.  n (4fd  ©,  ©3)  =>  n@x 
i.e.  r<(MD  01  ©j>  =>  n©, 
i.e.  n©,  A  n©2  71(Efd  ©^  ©2) 

i.e.  n©j  =>  neon  ©j  ©2) 
i.e.  n©!  =>  n(0R  ©j  ©2) 
i.e.  H(qf  ©j  ©2>  n©j  V  n©2 

i.e.  n©j  =>  n(IHPLIEs  ©2  e2) 
i.e.  -m©,  =*■  n (implies  ©i  e2> 
i.e.  n(mpLIES  ©2  ©2>  A  n©t  =►  n©2 

i.e.  ndFF  ©i  e2>  A  n©,  =^>  nQt 
i.e.  ndFF  ©,  ©2>  A  ->n©j  =>  ->n©2 
i.e.  n©j  A  n©2  =>  napp  e,  ©2) 
i.e.  -m©j  A  -in©2  naFF  ©!  e2) 


”©  V  n<lot  ©) 
-in©  V  -inciot  ©i 


:  Meaning  postulates  for  Boolean  connectives 
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plications  of  the  form  (IMPLIES  0i  02) 

“'^(ikplies  ©i  e2>  V  ^nQl  V  n02 

Now  suppose  7  is  a  S-consistent  normalized  partial  truth  labeling  such  that 
*  ( n (implies  0!  ©2))  is  true  and  7(ra01)  is  true.  In  this  case  the  first  two 
literals  in  the  above  clause  are  labeled  false  under  7.  By  assumption  7  is 
5-consistent  so  the  last  literal  is  not  false.  Furthermore  since  7  is  assumed 
to  be  normalized  the  above  clause  can  not  be  an  open  7-unit-clause  so  the 
last  literal  must  be  labeled  true.  In  summary: 


If  7  is  a  8-consistent  normalized  labeling  such  that 
7  ( ^  ( implies  ©1  ©2>)  —  true 


and 

then 


7(n©i )  =  true 


7  (n©a)  =  true 


Thus  ^-consistent  normalized  labelings  are  closed  under  the  inference  rule 
of  modus  ponens.  A  similar  argument  can  be  used  to  prove  the  following: 


If  7  is  a  6-consistent  normalized  labeling  such  that 
7(ncxnpuEs  ©j  ©3))  =  true 


and 

then 


7  (ne2)  =  false 
7(nej)  —  false 


A  similar  argument  concerning  the  meaning  postulates  for  negations  shows 
that  if  7  is  a  5-consistent  normalized  partial  truth  labeling  and  the  nodes 


1 


V" 
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n©  and  71(iot  e>  have  been  constructed  in  the  graph  then  either  7  does  not 
provide  a  truth  label  for  either  of  these  nodes  or  the  7  assigns  these  nodes 
opposite  labels. 

Now  let  op  be  any  binary  Boolean  operator  listed  in  table  4.1  and  let  7  be  a 
^-consistent  normalized  truth  labeling.  The  meaning  postulates  ensure  the 
following  conditions: 

•  If  the  nodes  n©j  and  n©2  both  have  truth  labels  then  any  node  of  the 
form  0p  ©j  ©2),  also  has  a  truth  label;  nUp  ©2>  has  the  truth  label 
given  by  the  meaning  of  op. 

•  If  the  meaning  of  op  allows  the  truth  of  (op  ©i  ©2)  to  be  derived 
from  either  the  truth  label  for  n© ,  or  the  truth  label  for  (or  n©2 )  then 
n(ot  ©1  0j)  has  the  appropriate  truth  label.  For  example  a  disjunction 
is  true  whenever  one  of  its  disjuncts  is  true  and  a  conjunction  is  false 
whenever  one  of  its  conjuncts  is  false. 

•  If  the  meaning  of  op  allows  the  truth  of  n©j  to  be  derived  from  the 
truth  label  of  7i(op  ©2  ©2j  then  n©j  has  the  appropriate  truth  label.  For 
example  if  a  conjunction  is  true  then  each  conjunct  is  true  and  if  a 
disjunction  is  false  then  each  disjunct  is  false.  If  an  implication  is  false 
then  its  antecedent  is  true  and  its  consequent  is  false. 

«  If  the  meaning  of  op  allows  the  truth  of  n©2  to  be  derived  from  both 
the  truth  label  of  n(op  ©,  ©2)  and  the  truth  label  of  n©2  then  n©,  has 
the  appropriate  truth  label.  An  analogous  statement  holds  for  deriving 
labelings  of  n©2  from  labelings  of  ri(ep  ©j  ©2>  and  n© ,.  For  example  if 
a  conjunction  is  labeled  false  and  one  of  its  conjuncts  is  labeled  true 
then  other  will  be  labeled  false.  If  a  disjunction  is  labeled  true  and 
one  of  its  disjuncts  are  labeled  false  then  the  other  disjunct  will  be 
labeled  true. 


The  above  properties  of  a  5-consistent  normalized  labeling  7  do  not  guar¬ 
antee  that  7  is  closed  under  all  possible  Boolean  inferences.  Boolean  con¬ 
straint  propagation  constructs  a  normalized  labeling  in  time  proportional  to 
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the  number  of  nodes  in  the  graph;  assuming  P  ^  NP  any  logically  com¬ 
plete  Boolean  inference  mechanism  requires  exponential  time.  Thus  it  is  not 
surprising  that  Boolean  constraint  propagation  is  logically  incomplete.  More 
specifically,  Boolean  constraint  propagation  does  not  perform  case  analyses. 
For  example  there  exists  a  ^-consistent  normalized  labeling  7  with  the  fol¬ 
lowing  properties: 

7(™<oa  0i  e2>)  =  true 
7(nUKPLiEs  0.  e3>)  —  true 
7(n<inPLiEs  e2  ®3>)  =  true 
7 (n©3)  is  undefined 

In  the  above  situation  Boolean  constraint  propagation  does  not  generate 
truth  labels  for  any  of  the  nodes  Me,  >  ne2  or  n©s  • 


4.1.2  Order  Independence  for  Boolean  Inference 

The  Boolean  constraint  propagation  procedure  defined  above  is  non-deterministic; 
the  procedure  extends  a  partial  truth  labeling  by  non-deterministically  choos¬ 
ing  an  open  unit  clause.  Fortunately  however,  one  can  prove  that  the  labeling 
generated  by  the  propagation  procedure  is  independent  of  the  order  in  which 
open  unit  clauses  are  chosen. 


Definition:  Two  partial  labelings  71  and  72  of  a  Boolean  con¬ 
straint  graph  B  will  be  called  B-equivalent  if  either  7*  equals  72 
or  both  7t  and  72  are  ^-inconsistent. 

Normalization  Theorem:  For  any  partial  labeling  7  of  a  Boolean 
constraint  graph  B  the  Boolean  constraint  propagation  procedure 
terminates  and  all  possible  values  of  Np( 7)  are  5-equivalent. 


This  theorem  can  be  proven  by  examining  the  inference  relation  — . 
Viewing  — as  a  reduction  relation,  the  above  theorem  is  implied  by  the 
fact  that  the  relation  — satisfies  a  certain  Church-Rosser  property.  The 


101 


4.1.  BOOLEAN  CONSTRAINT  GRAPHS 

Church- Rosser  property  of  --*3  is  proven  using  general  lemmas  that  apply 
to  any  reduction  relation. 


Definition:  For  any  binary  relation  — »  we  write  x  — »“  y  if  either 
x  equals  y  or  there  exists  some  z  such  that  x  — *  z  and  z  — >*  y. 

We  say  that  — t  is  well  founded  if  there  is  no  infinite  sequence 


X\  X2  X3  . 


We  say  that  y  is  a  normal  form  under  — ►  if  there  is  no  z  such 
that  y  z.  We  say  that  y  is  a  normal  form  of  x  under  — *■  if  y  is 
a  normal  form  under  — ►  and  x  — ►*  y. 

We  say  say  that  —*  is  a  terminating  normalizer  modulo  an  equiv¬ 
alence  relation  «  if  — +  is  well  founded  and  normalizations  under 
— »  are  unique  up  to  i.e.  if  y  and  z  are  both  normal  forms  of  x 
then  y  ~  2. 


— >5  Normalization  Lemma:  —43  is  a  terminating  normalizer 
modulo  B-equi  valence. 


To  prove  the  normalization  lemma  first  note  that  whenever  7— >3  l!  the 
labeling  7'  provides  more  truth  labels  than  does  7.  Since  there  are  only 
finitely  many  nodes  in  B  there  can  not  be  any  infinitely  long  reduction  chains 
under  the  relation  — .  Thus  — 43  is  well  founded.  Thus,  to  prove  that  —*3 
is  a  terminating  normalizer  it  suffices  to  show  that  normal  forms  are  unique 
up  to  5-equivalence. 


Definition:  We  say  that  — *  satisfies  the  diamond  property  mod¬ 
ulo  an  equivalence  relation  sa  if  for  every  x,  y  and  z  such  that 
x  — *  y  and  x  — *  z  there  exists  a  w  and  w'  such  that  y  —**  w, 
z  —4*  w'  and  w  ~  w' . 
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Diamond  Lemma:  If  — ►  is  well  founded  and  satisfies  the  'lia- 
mond  property  modulo  ss  then  for  any  object  x  in  the  domain 
of  the  relation  — +,  all  normal  forms  of  x  under  — ►  are  equivalent 
under  ss,  i.e.  — +  is  a  terminating  normalizer  module 


The  diamond  lemma  as  stated  above  is  a  straightforward  modification  of 
a  theorem  proved  by  Knuth  and  Bendix  for  term  rewrite  systems  [Knuth  & 
Bendix  69].  The  diamond  property  for  a  given  relation  can  be  proven  by 
showing  that  individual  inferences  commute.  More  specifically  if  there  are 
two  open  unit  clauses  which  each  can  be  used  to  extend  the  partial  truth 
labeling  in  two  different  ways  then  one  can  perform  both  inferences  and  the 
result  is  the  same  no  matter  which  inference  is  performed  first.  Unfortunately 
the  situation  is  complicated  by  the  possibility  of  contradictions  but  the  basic 
result  holds:  — satisfies  the  diamond  property  modulo  5-equivalence  of 
partial  truth  labelings. 


Lemma:  satisfies  the  diamond  property  modulo  5-equivalence. 

Proof:  Suppose  yo~*B  7i  and  j0 -*B  72  where  71  is  a  different 
labeling  from  72.  From  the  definition  of  — there  must  exist 
distinct  literals  'Pi  and  such  that 


7i  "  7o[^i  :=  true] 


and 

72  =  7o[*2  :=  true] 

Let  Ci  be  the  clause  in  5  which  is  an  open  7o-unit-clause  with 
unit  literal  \E,i  and  let  c2  be  the  clause  in  5  which  is  an  open 
7o-unit-clause  with  unit  literal  '&2. 

First  suppose  that  'fi  and  $2  are  opposite  literals  for  the  same 
formula  node.  In  this  cane  the  assignment  'I,i  :=true  will  cause 
ty2  to  be  false.  Thus  every  literal  in  c2  will  be  false  under  71  so 
in  this  case  71  is  5-inconsistent.  Similarly  every  literal  in  c\  will 
be  false  under  72  and  so  in  this  case  72  is  5-inconsistent.  But  if 
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71  and  72  are  both  5-inconsistent  then  they  are  5-equivalent  so 
the  diamond  property  holds. 

Now  suppose  that  the  literals  $1  and  *52  involve  different  for¬ 
mula  nodes.  Let  73  be  the  labeling 

(7(^1  :=  true])['P2  :=  true] 

Since  'I'j  and  $2  involve  different  formula  nodes  73  can  also  be 
written  as 

{l[$2  ■=  true])[^!  :=  true] 

Since  and  *52  involve  different  formula  nodes  the  clause  c2  is 
still  an  open  7i-unit- clause.  Thus  if  71  is  5-consistent  7 *— >s  73. 
Similarly  if  72  is  5-consistent  then  72— 73.  Thus  if  both  71  and 

72  are  S-consistent  then  they  both  reduce  to  73  so  the  diamond 
property  holds.  If  both  71  and  72  are  5-inconsistent  then  they  are 
5-equivalent  so  the  diamond  property  holds.  Now  suppose  that 
71  is  5-consistent  but  72  is  not.  In  this  case  71  reduces  to  73.  But 

73  is  a  proper  extension  of  72  and  72  is  5-inconsistent  so  73  must 
also  be  5-inconsistent.  But  this  implies  that  73  is  5-equivalent 
to  72  so  the  diamond  property  holds. 

Since  — ►»  is  well  founded  and  satisfies  the  diamond  property  modulo 
5-equivaience  for  partial  truth  labelings  the  Knuth-Bendix  diamond  lemma 
implies  that  normalizations  are  unique  up  to  5-equivalence  and  thus  —*b 
is  a  terminating  normalization  relation  modulo  5-equivalence.  Thus,  up  to 
5-equivalence,  there  is  only  one  possible  value  of  Nb{ 7). 

4.1.3  Semantic  Soundness 

For  any  Boolean  constraint  graph  5  the  relation  — *b  can  be  viewed  as  an 
inference  relation.  It  is  possible  to  provide  a  simple  semantics  for  Boolean 
constraint  graphs  and  prove  that  the  relation  — >b  is  sound  modulo  this 
semantics.  For  the  most  part  the  soundness  of  —►g  is  self  evident.  However 
the  semantics  given  here  provides  groundwork  that  will  be  needed  to  prove 
the  soundness  of  semantic  modulation  inference  relations. 
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Any  semantic  interpretation  of  a  set  of  formula  nodes  provides  a  way  of 
a- signing  every  node  a  truth  value,  either  true  or  false.  Thus  any  semantic 
interpretation  of  a  set  of  formula  nodes  yields  a  complete  truth  labeling  of 
those  nodes. 

Definition:  A  partial  truth  labeling  of  a  Boolean  constraint 
graph  B  is  called  complete  if  it  assigns  every  node  a  truth  la¬ 
bel.  Complete  labelings  will  be  called  Boolean  interpretations 
and  will  be  denoted  with  the  greek  letter  l j. 

Clauses  in  a  Boolean  constraint  graph  and  any  partial  truth  labelings  express 
constraints  on  possible  interpretations. 


Definition:  Let  B  be  a  Boolean  constraint  graph,  let  7  be  a 
partial  truth  assignment  on  the  nodes  in  B,  and  let  wbea  Boolean 
interpretation  of  the  nodes  in  B. 

We  say  that  a ;  satisfies  a  clause 

V  Vj  V  .  .  .  Vfc 

if  u  makes  at  least  one  of  the  literals  true.  We  say  that  to 
satisfies  the  Boolean  constraint  graph  B  just  in  case  u  satisfies 
every  clause  in  B. 

We  say  that  u>  satisfies  the  partial  truth  labeling  7  if  every  node 
that  is  assigned  a  truth  label  by  7  is  assigned  the  same  truth  label 
by  w. 

The  reduction  relation  — +0  can  be  viewed  as  a  sound  inference  relation 
in  the  sense  that  if  ji—tg  72  then  every  constraint  in  72  is  implied  by  the 
constraints  in  71  and  B,  i.e.  if  u?  satisfies  71  and  B  then  <*>  also  satisfies  72. 


— *b  Soundness  Lemma:  If  u  is  a  Boolean  interpretation  that 
satisfies  a  Boolean  constraint  graph  B  and  a  partied  truth  labeling 
7,  and  if  7-+S  7',  then  u ;  satisfies  7'. 
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4.2  Equality  Cor  i  traint  Graphs 


This  section  describes  equality  constraint  graphs  and  the  inference  mecha¬ 
nisms  that  apply  to  them.  Sections  4.2.1  and  4.2.2  can  be  safely  ignored  by 
readers  who  are  not  interested  in  correctness  proofs. 

As  the  name  implies,  eauality  constraint  graphs  are  used  to  reason  about 
equality.  In  addition  to  clause  links  equality  graphs  have  equality  links.  An 
equality  expresses  the  fact  that  a  certain  formula  node  represents  an  equation 
between  two  other  nodes.  Equality  constraint  graphs  have  both  formula  and 
non-formula  nodes.  The  non-formula  nodes  in  an  equality  constraint  graph 
are  divided  into  two  types:  quotation  nodes  and  non-formula  non-quotation 
nodes.  No  two  quotation  nodes  should  ever  be  equal.  If  there  are  n  quotation 
nodes  then  there  are  order  n2  potential  equalities  between  these  nodes;  the 
existence  of  quotation  nodes  eliminates  the  need  to  explicitly  state  that  these 
n2  equalities  are  all  false.  In  the  Ontic  compilation  process  quotation  nodes 
are  used  to  represent  quotation  expressions  of  the  fc:m  (Q'iOTE  symbol) . 


Definition:  An  equality  constraint  graph  £  consists  of  a  set  of 
formula  nodes,  a  set  of  clause  links  over  the  formula  nodes,  a  set 
of  quotation  nodes,  a  set  of  non-formula  non-quotation  rodes, 
and  a  set  of  equality  links  of  the  form 


P 


i  * 

$ 

1: 


*  jp 


p  <$=>  n  =  m 

where  p  is  a  formula  node  in  £  and  n  and  m  are  any  nodes  in  £. 

Let  B  be  tixe  Boolean  constraint  graph  consisting  of  the  formula 
nodes  and  clause  links  in  an  equality  constraint  graph  £.  We  say 
that  B  is  the  Boolean  constraint  graph  underlying  £. 

An  equality  link  of  the  form  p  n  —  m  says  that  the  formula  node  p 
represents  the  equality  between  nodes  n  and  m.  The  Ontic  compiler  creates 
an  equality  link  every  time  it  compiles  an  equality  formula.  More  specifically, 
every  time  a  node  of  the  form  n(«  „  p>  is  created  the  system  constructs  the 


i 

I 
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equality  link 

a  6)  ^  na  —  71^ 

where  na  is  the  node  representing  the  expression  a  and  is  the  node  repre¬ 
senting  the  expression  b. 

The  labelings  of  equality  graphs  contains  both  a  pa.  al  truth  labeling  of 
formula  nodes  and  a  color  labeling  of  all  nodes.  The  color  labeling  represents 
information  about  the  equality  of  nodes:  two  nodes  with  the  same  color  are 
considered  equal. 


Definition:  A  labeling  C  of  a  colorable  node  set  £  is  a  pair 
<7,  k>  where  7  is  a  partial  truth  labeling  of  the  formula  nodes 
in  £  and  k  is  a  color  labeling  which  maps  every  node  in  £  to  a 
color. 


The  notion  of  a  labeling  as  defined  above  is  meaningful  independent  of 
the  links  in  the  graph  structure  £.  A  labeling  contains  information  about 
which  formula  nodes  are  true  (or  false)  and  information  about  equivalences 
between  nodes  (both  equivalences  between  formula  nodes  and  equivalences 
between  non-formula  nodes).  However  the  links  in  an  equality  constraint 
graph  £  can  be  thought  of  as  constraints  on  labelings.  More  specifically,  we 
have  the  following  definition  of  a  ^-inconsistent  labeling. 


Definition:  We  say  that  a  labeling  <7,  k>  of  £  is  £ -inconsistent 
if  any  of  the  following  conditions  hold: 

•  7  is  ^-inconsistent  where  B  is  the  Boolean  constraint  graph 
underlying  £. 

•  There  is  some  equality  link  p  •$=*•  n  =  m  in  £  such  that 
«(n)  =  «(m)  but  7 (p)  =  false. 

•  There  are  two  distinct  quotation  nodes  n  and  m  in  £  such 
that  k(u)  —  /c(m). 
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#  There  are  two  formula  nodes  p  and  q  such  that  n(p)  =  n(q), 
both  7 (p)  and  7 (q)  are  defined  but  7 (p)  is  the  opposite  of 
7  (9). 

If  a  labeling  C  is  not  5-inconsistent  then  we  say  that  the  labeling 
<7,  /c>  is  £ -consistent. 


A  given  equality  constraint  graph  £  is  associated  with  an  inference  rela¬ 
tion  — *«■  on  labelings.  The  inference  relation  — can  extend  a  labeling  in 
one  of  two  ways:  it  can  add  a  new  truth  label  on  a  formula  node  or  it  can 
merge  two  equivalence  classes  by  assigning  both  classes  the  same  color  label. 
When  two  equivalence  classes  axe  merged  the  smaller  class  is  recolored  to  be 
the  color  of  the  larger  class.  This  class  merger  operation  can  be  defined  as 
follows: 


Definition:  If  k  is  a  color  labeling  of  the  nodes  in  £,  and  n 
and  m  are  nodes  in  £  then  the  color  map  «[union(n,  m)]  is  a 
color  map  which  yields  the  same  equivalence  relation  as  k  except 
that  the  equivalence  classes  of  n  and  m  have  been  merged.  More 
specifically,  if  the  size  of  the  equivalence  class  of  n  under  k  is  less 
than  or  equal  to  the  size  of  the  class  of  m  under  k  then  the  map 
«[union(n,  m)]  is  defined  as  follows: 


«[union(n,  m 


/c(m) 

n(q) 


if  n(q)  =  «(n) 
otherwise 


The  above  definition  specifies  that  the  union  operation  recolors 
the  class  of  n  to  be  the  same  color  as  the  class  of  m.  If  the  size 
of  the  class  of  n  under  «  is  larger  than  the  size  of  the  class  of 
m  under  n  then  /c[union(n,m)]  equals  ^[union(m,  n)].  The  union 
operation  always  recolors  the  smaller  equivalence  class. 


It  is  now  possible  to  define  the  inference  relation 
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Definition:  Let  £  be  a  labeling  of  £  which  is  equal  to  the  pair 
<7,  k>.  Let  £’  be  a  labeling  of  £  which  is  equal  to  the  pair 
<7 k’>.  We  write  C—*£  £'  if  one  of  the  following  conditions 
hold: 

•  n  =  n'  and  7'  is  derived  from  7  via  unit  inference,  i.e.  7 
where  B  is  the  Boolean  constraint  graph  underlying  £ . 

•  £  contains  the  link  p  n  =  m  and  each  of  the  following 
conditions  hold 

—  7(p)  =  true 
—  K(rt)  4  n(m) 

—  7'  =  7  and  k'  —  x(union(n,  m)] 

•  £  contains  the  link  p  ^  n  =  m  and  each  of  the  following 
conditions  hold 

—  k(ti)  —  K.(m) 

—  ~j{p)  is  undefined 

—  k'  —  k  and  7'  =  7 [p  :=  true] 

•  £  contains  two  formula  nodes  p  and  q  such  that  the  following 
conditions  hold: 

“  *(p)  -  *(?) 

—  7(p)  is  defined  but  7 (9)  is  not. 

~  =  *  and  7'  =  7(9  :=  7O?)] 


4.2.1  Semantic  Soundness 

Any  semantic  interpretation  of  an  equality  constraint  graph  provides  both  a 
truth  labeling  and  a  color  labeling  where  two  nodes  have  the  same  color  just 
in  case  they  denote  the  same  semantic  object.  A  labeling  that  corresponds 
to  a  semantic  interpretation  must  be  complete  in  that  every  formula  node 
must  have  a  truth  label. 


CaT- 
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Definition:  A  labeling  £  of  an  equality  constraint  graph  £  is 
called  complete  if  £  assigns  every  formula  node  in  £  a  truth  label, 
either  the  label  true  or  the  label  false.  Complete  labels  are  also 
called  possible  worlds. 

1  he  tt?rm  "possible  world"  comes  from  modal  logic:  there  is  a  strung  similarity 
between  the  semantics  of  the  graphs  described  in  chapter  5  and  the  possible 
world  semantics  of  modal  logic.  Clause  links  and  equality  links  can  both 
be  viewed  as  constraints  on  possible  worlds.  A  partial  labeling  can  also  be 
viewed  as  a  constraint  on  possible  worlds. 


Definition:  A  possible  world  w  satisfies  an  equality  constraint 
graph  £  just  in  case  the  truth  labeling  of  w  satisfies  every  clause 
link  in  £,  no  two  quotation  nodes  of  £  axe  assigned  the  same  color 
by  w,  any  two  formula  nodes  which  we  assigned  the  same  color 
label  by  w  are  assigned  the  same  truth  label  by  w,  and  for  every 
equality  link  p  ■$=>•  n  =  m  in  £,  the  world  w  assigns  p  the  label 
true  just  in  case  w  assigns  n  and  m  the  same  color  label. 

A  possible  world  tv  satisfies  a  labeling  £  of  an  equality  constraint 
graph  £  just  in  case  every  formula  node  which  is  assigned  a  truth 
value  by  £  is  assigned  the  same  truth  value  by'  w  and  if  two 
nodes  n  and  m  are  assigned  the  same  color  by  £  then  n  and  m 
are  assigned  the  same  color  by  w. 

The  reduction  relation  -+£  can  be  viewed  as  a  sound  inference  relation 
in  the  sense  that  if  C\—*i  £2  then  every  constraint  in  £2  is  implicitly  present 
in  £  and  £j,  i.e.  if  an  interpretation  satisfies  £  and  C\  then  it  also  satisfies 
£2. 


— Soundness  Lemma:  If  w  is  a  possible  world  that  satisfies 
the  equality  constraint  graph  £  and  the  labeling  £,  and  if  C—*s  C, 
then  w  satisfies  £\ 


no 
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4.2.2  Termination  and  Order  Independence 

Note  that  if  £  — ►  *  £  then  either  £  provides  more  truth  labels  than  £  or  £ 
has  fewer  colors  (equivalences  classes)  than  C.  Since  there  are  only  finitely 
many  formula  nodes  that  can  take  truth  labels,  and  since  the  number  of 
equivalence  classes  can  not  be  reduced  below  one,  the  inference  process  must 
terminate,  i.e.  there  are  no  infinite  inference  chains  of  the  form 

T-\—*e  T-z—*£  £3  —*e  •  •  • 

Thus  the  relation  —,g  is  well  founded. 

To  prove  that  yields  a  well  defined  normalization  operation  one  must 
show  that  all  normal  forms  of  a  labeling  £  are  equivalent  modulo  some  equiv¬ 
alence  relation.  This  equivalence  of  normal  forms  can  be  established  under 
the  following  equivalence  relation. 

Definition:  Two  labelings  £  and  £  of  a  colorable  node  set  £ 
are  called  £ -equivalent  if  either  both  £  and  £  are  5-inconsistent 
or  if  they  both  provide  the  same  partial  truth  labeling  on  the 
formula  nodes  in  £  and  the  color  labelings  in  £  and  £  determine 
the  same  equivalence  relation  on  £. 

-*s  Normalization  Lemma:  is  a  terminating  normalizer 

relative  to  £-equi  valence. 

The  proof  of  the  above  theorem  uses  the  Knuth-Bendix  diamond  lemma. 
The  proof  that  —*£  satisfies  the  diamond  property  relative  to  5-equivalence 
is  similar  to  the  proof  that  satisfies  the  diamond  property  relative  to 
0-equivalence;  both  proofs  are  based  on  the  commutativity  of  individual 
inference  reductions. 

4.2.3  Running  Time 

The  union  operation  used  to  construct  «[union(n,77i)]  recolors  the  the  smaller 
of  the  two  equivalence  classes.  This  has  the  important  consequence  that  every 
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time  the  color  label  of  a  node  n  changes  the  size  of  n's  equivalence  class  at 
least  doubles.  Let  \£\  be  the  number  of  nodes  in  £.  The  color  label  for  a  given 
node  n  can  change  at  most  [log2  |£|J  times  because  if  the  color  of  n  changed 
more  than  [log2  |5|J  times  the  equivalence  class  of  n  would  be  larger  than 
|£j.  Since  the  color  of  a  gi’/en  node  n  can  change  at  most  [log2  |£|J  times  the 
total  number  of  coloring  operations  required  to  normalize  a  labeling  C  is  at 
most  | £ |  [_log2  |£jj.  Since  the  number  cf  truth  labeling  operations  is  at  most 
|£|  the  total  number  of  labelings  operations  is  order  |£|  log  |£|. 


4.3  Congruence  Constraint  Graphs 


This  section  describes  congruence  constraint  graphs  and  the  inference  mech¬ 
anisms  that  apply  to  them.  Sections  4.3.1  and  4.3.2  can  be  safely  ignored  by 
readers  who  are  not  interested  in  correctness  proofs. 

Congruence  constraint  graphs  are  just  like  equality  graphs  except  that 
they  contain  subexpression  links.  Subexpression  links  relate  a  node  for  a 
composite  expression  to  nodes  for  its  subexpressions.  For  example  a  subex¬ 
pression  link  might  relate  the  node  representing  the  expression  (FOO  A)  to 
the  nodes  representing  FOO  and  A.  The  labeling  process  which  uses  subex¬ 
pression  links  is  called  congruence  closure.  Congruence  closure  effectively 
performs  the  substitution  of  equals  for  equals.  For  example  consider  a  color 
labeling  such  that  the  node  for  A  and  the  node  for  B  are  assigned  the  same 
color  and  yet  the  nodes  for  (FOO  A)  and  (FOO  B)  have  different  colors.  This 
labeling  would  not  respect  the  substitution  of  equals  for  equals.  A  color  la¬ 
beling  is  said  to  be  congruence  closed  if  it  does  respect  the  substitution  of 
equals  for  equals. 


Definition:  A  congruence  constraint  graph  C  is  of  an  equality 
constraint  graph  augmented  with  a  set  of  subexpression  links  of 
the  form 

(mi  m?  . . .  mfc)  —  n 
where  n  and  each  m,-  are  nodes  in  C. 


/v  V* 


“  v  O  ■%"-  ***-  % 


.-y-y-. 
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Let  £  be  the  equality  constraint  graph  derived  from  a  congruexice 
constraint  graph  C  by  deleting  all  subexpression  links.  We  say 
that  £  is  the  equality  constraint  graph  underlying  C. 

A  labeling  of  a  congruence  constraint  graph  is  a  labeling  of  the 
underlying  equality  constraint  graph. 


A  subexpression  link  of  the  form  ( mj  m 2  . . .  m*)  =  n  says  that  the  node 
n  represents  the  application  of  the  operator  mx  to  the  arguments  m2  . . . 
m^.  The  Ontic  compiler  generates  subexpression  links  whenever  it  compiles 
an  applicative  expression.  Subexpression  links  can  be  used  to  define  a  new 
inference  relation  on  labelings. 


Definition:  A  labeling  £  of  a  congruence  constraint  graph  C  is 
called  C-consistent  just  in  case  £  is  ^-consistent  where  £  is  the 
equality  constraint  graph  underlying  C. 

For  any  two  labelings  £  and  £'  of  a  congruence  constraint  graph 
C  we  write  £~>c  £  just  in  case  £  is  equality  consistent  and  either: 

•  C—*c  £  where  £  is  the  equality  constraint  graph  underlying 

C. 

•  £  can  be  derived  from  £  via  a  congruence  inference,  i.e.  £ 
is  a  pair  <7,  k>  such  that  there  are  two  subexpression  links 
(rii  n2  ■  •  •  rcife)  =  m  and  (pi  P2  . . .  pk)  —  q  in  S  such  that  for 
each  pair  vm  and  9,  of  corresponding  subnodes  «:(mj)  = 

but  k{h)  ^  k(p)  and  £  is  the  pair  <7,  «[union(n,p)]>. 


If  a  labeling  £  is  normalized  relative  to  -+c  then  there  is  no  pair  of 
subexpression  links  satisfying  the  conditions  for  congruence  inference  given 
in  the  definition  of  — »c  •  This  implies  that  if  £  is  normalized  under  —*c  then 
£  is  congruence  closed. 
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4.3.1  Semantic  Soundness 

Recall  that  a  possible  world  is  a  complete  labeling,  i.e.  a  color  and  truth 
labeling  which  assigns  every  formula  node  a  truth  label.  The  links  in  a 
congruence  constraint  graph  can  be  viewed  as  constraints  on  possible  worlds. 

Definition:  A  possible  world  w  satisfies  a  congruence  constraint 
graph  C  just  in  case  w  satisfies  the  underlying  equality  constraint 
graph  and  for  any  two  subexpression  links 

(mi  m2  . . .  mie)  =  n 

and 

(pi P2  Pk)-q 

if  for  each  m,  the  world  w  assigns  m,  and  pi  the  same  color  then 
w  assigns  n  and  q  the  same  color. 

The  reduction  relation  —*c  can  be  viewed  as  a  sound  inference  relation 
in  the  sense  that  if  C\—*c  £ 2  then  the  constraints  in  C  and  £  semantically 
imply  the  constraints  in  £'. 

— *c  Soundness  Lemma:  If  w  is  a  possible  world  that  satisfies 
both  a  congruence  constraint  graph  C  and  a  labeling  £  of  C,  and 
if  £-+c  £ i  then  w  satisfies  £ . 

4.3.2  Termination  and  Order  Independence 

If  C—*c  £  then  either  £'  provides  more  truth  labels  than  £  or  £  provides 
fewer  color  labels,  and  thus  allows  fewer  equivalence  classes  than  £.  Since 
there  can  not  be  more  truth  labels  than  there  are  formula  nodes,  nor  fewer 
equivalence  classes  than  one,  every  reduction  chain  must  terminate.  Thus 
the  relation  — >c  is  well  founded. 
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To  prove  that  — ►<;  yields  a  well  defined  normalization  operation  one  must 
show  that  ail  normal  forms  of  a  labeling  £  are  equivalent  modulo  some  given 
equivalence  relation. 


— >c  Normalization  Lemma:  — is  a  terminating  normalizer 
modulo  ^-equivalence  where  £  is  the  equality  constraint  graph 
underlying  C. 


The  above  theorem  is  proved  via  the  Knuth-Bendix  diamond  lemma  and  the 
proof  that  -+c  satisfies  the  diamond  property  is  based  on  the  commutativity 
of  individual  inferences. 


4.3.3  Implementation  Techniques 

For  any  labeling  £  of  a  congruence  constraint  graph  C  we  can  define  Nc{C)  to 
be  any  normal  form  of  £  under  the  reduction  relation  — •  The  definition  of 
— >c  specifies  the  value  of  Nc(£)  up  to  ^-equivalence  where  £  is  the  equality 
constraint  graph  underlying  C.  Furthermore,  because  the  size  of  a  node’s 
equivalence  class  at  least  doubles  every  time  the  node  is  assigned  a  new 
color,  the  normalization  procedure  involves  at  most  order  \C\  log  \C\  labeling 
operations.  The  above  specification  however  does  not  provide  a  complete 
description  of  an  efficient  implementation  of  the  normalization  function  Nc. 
More  specifically  no  procedure  has  been  given  for  finding  the  clauses,  equality 
links,  and  subexpression  links  involved  in  a  single  step  of  the  normalization 
process. 

Most  labeling  inferences  involve  a  single  link  in  the  graph  structure;  the 
inference  is  justified  by  a  single  link  and  the  label  of  the  nodes  in  that  link. 
Boolean  constraint  propagation  based  on  clause  links,  for  example,  always 
involves  a  single  clause.  There  are  certain  inferences,  however,  that  involve 
two  objects  that  are  not  connected  by  any  single  link.  For  example,  to  test 
for  consistency  the  system  must  determine  if  two  quotation  nodes  have  the 
same  color  label.  To  quickly  test  for  the  presence  of  two  quotation  nodes 
with  the  same  color  label  one  can  maintain  a  hash  table  with  entries  of  the 
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form  c  i— ►  n  where  c  is  a  color  and  n  is  a  quotation  node.  Every  time  a 
quotation  node  n  is  assigned  a  color  c  one  checks  the  hash  table  to  see  if 
some  other  quotation  node  has  been  labeled  with  color  c.  If  there  is  such 
a  node,  an  inconsistency  is  flagged.  If  there  is  no  such  node  then  one  adds 
a  new  entry  to  the  hash  table.  This  hash  table  can  be  maintained  during 
the  inference  process.  Assuming  hash  lookup  takes  constant  time,  the  time 
needed  to  maintain  this  hash  table  is  proportional  to  the  number  of  color 
labeling  operations. 

Another  example  of  an  inference  that  involves  two  objects  not  related 
by  a  single  link  is  congruence  inference.  Congruence  inference,  as  defined  in 
the  previous  section,  requires  finding  two  subexpression  links  which  together 
justify  a  congruence  inference.  Let  s  be  the  number  of  subexpression  links. 
Searching  all  pairs  of  subexpression  links  for  a  possible  congruence  inference 
might  require  order  s2  comparisons.  Fortunately  an  additional  data  structure 
can  be  used  to  eliminate  the  need  for  s2  comparisons. 

Each  labeling  of  a  congruence  constraint  graph  can  be  augmented  with 
a  hash  table  that  maps  tuples  of  colors  to  nodes.  More  specifically  each 
labeling  is  associated  with  a  set  of  hash  table  entries  of  the  form 

<Ci  C2  ■  • .  Cn>t-»  n 

where  each  c,-  is  a  color  and  n  is  a  node.  Such  a  table  entry  corresponds  to 
a  subexpression  link  of  the  form 

(mi  m2  . . .  mfc)  =  n 

where  each  node  m,-  has  color  c,.  Using  this  hash  table  it  is  possible  to  quickly 
determine  if  there  are  two  subexpressions  links  satisfying  the  conditions  for 
congruence  inference.  Such  a  hash  table  can  be  incrementally  maintained  as 
a  labeling  is  normalized. 

Given  the  hash  tables  described  above  it  is  possible  to  determine  if  a 
labeling  can  be  further  reduced  by  independently  examining  individual  links. 
If  a  given  link  £  can  not  be  used  to  generate  an  inference  then  £  need  not  be 
checked  again  until  some  label  changes  for  some  node  in  £.  The  total  number 
of  labeling  operations  performed  on  any  given  node  is  order  log(n)  where  n 
is  the  number  of  nodes  in  the  graph.  If  there  is  some  upper  bound  on  the 
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number  of  nodes  that  appear  in  any  given  link  then  the  number  of  times  a 
given  link  needs  to  be  checked  is  also  order  log(n).  Thus,  if  e  is  the  number 
of  links  in  the  graph,  and  n  is  the  number  of  nodes,  the  total  number  of  link 
checks  is  order  e  log(n)  and  the  total  number  of  labeling  operations  is  order 
nlog(n).  Efficient  congruence  closure  algorithms  are  described  in  [Downey, 
Sethi,  &  Tarjan  80]. 
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Chapter  5 

Inference  with  Quantifiers 


Focused  binding  and  automatic  universal  generalization  are  graph  labeling 
inference  processes  that  construct  binding  environments  and  quantified  for¬ 
mulas.  Certain  nodes  in  the  graph  structure  are  identified  as  variable  nodes. 
Graph  labelings  are  used  to  represent  variable  bindings.  For  example  if  n  is 
a  variable  node  and  r  is  some  other  node  then  the  binding  n  *-*  r  can  be 
represented  in  a  graph  labeling  by  merging  the  equivalence  classes  of  n  and  r. 
This  graph  theoretic  binding  mechanism  forms  the  basis  for  an  inheritance 
mechanism;  a  binding  of  the  form  n  i-*  r  causes  information  known  to  be 
true  of  the  variable  (or  generic  individual)  n  to  be  inherited  by  the  particular 
instance  r. 

Ontic’s  inference  mechanisms  are  fully  described  in  sections  5.1,  5.4,  5.5 
and  5.6;  sections  5.2  and  5.3  can  be  safely  ignored  by  readers  who  are  not 
interested  in  correctness  proofs. 


5.1  Semantic  Modulation  Graphs 


Semantic  modulation  graphs  have  two  new  kinds  of  nodes:  variable  nodes 
which  represent  variables  and  type  nodes  which  represent  types.  Semantic 
modulation  graphs  also  have  two  new  kinds  of  links:  type  declaration  links 
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that  associate  a  variable  with  a  type  and  type  assertion  links  each  of  which 
states  that  a  certain  formula  node  represents  the  statement  that  a  certain 
object  (node)  is  an  instance  of  a  certain  type. 

This  section  describes  the  inference  relation  — •  The  inference  relation 
— both  performs  inference  and  generates  variable  bindings.  However,  the 
relation  —*s  is  not  guided  by  focus  objects.  Section  5.4  describes  the  relation 
— t-sjr  which  is  similar  to  —*s  except  that  the  generation  of  variable  bindings 
is  guided  by  a  set  T  of  focus  objects. 

Before  defining  semantic  modulation  graphs  we  define  the  preliminary 
notion  of  a  variable  graph.  A  semantic  modulation  graph  is  a  variable  graph 
that  satisfies  a  certain  non-circularity  constraint. 


Definition:  A  variable  graph  consists  of  a  congruence  constraint 
graph  together  with  the  following: 

•  a  classification  of  the  non-formula  non-quotation  nodes  into 
variable  nodes,  type  nodes,  and  unclassified  nodes. 

•  A  set  of  free  variable  links  of  the  form 

n  <C  r 

Where  n  is  a  variable  node.  Such  a  link  says  that  n  rep¬ 
resents  a  variable  that  appears  free  in  the  expression  repre¬ 
sented  by  r. 

•  A  set  of  type  declaration  links;  for  each  variable  node  n  there 
is  exactly  one  type  declaration  link  of  the  form 

n:m 

The  node  m  is  called  the  type  node  of  n  and  n  is  called  a 
variable  of  type  m. 
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•  A  set  of  type  formula  links  of  the  form 

p  <=>  r:m 

where  p  is  a  forrnu'a  node,  r  is  any  node,  and  m  is  a  type 
node.  Such  a  link  says  that  formula  node  p  represents  the 
statement  that  node  r  is  an  instance  of  the  type  represented 
by  m. 

•  A  set  of  subtype  links  of  the  form 

, ,  ,  f 

q  <r>  m  m 

where  q  is  a  formula  node  and  m  and  m'  are  type  nodes. 

Such  a  link  says  that  q  represents  the  formula  that  m  is  a 
subtype  of  m',  i.e.  every  instance  of  m  is  an  instance  of  m' . 

Let  C  by  the  congruence  constraint  graph  derived  from  a  vari¬ 
able  graph  V  by  removing  all  free  variable  links,  type  declaration 
links,  type  formula  links,  and  subtype  links.  We  say  that  C  is  the 
congruence  constraint  graph  underlying  V. 

It  may  seem  that  the  free  variable  links  are  redundant;  it  seems  that 
one  could  define  the  free  variables  of  a  node  in  terms  of  the  subexpression 
links  discussed  in  chapter  4.  Since  a  semantic  modulation  graph  is  just  a 
congruence  graph  with  additional  structure  these  subexpression  links  are 
part  of  a  semantic  modulation  graph.  Unfortunately  the  graph  may  contain 
nodes  that  represent  lambda  closures  (functions,  types,  and  type  generators). 
These  nodes  represent  expressions  that  contain  free  variables  but  these  nodes 
are  not  involved  in  subexpression  links  in  a  way  that  allows  the  free  variables 
to  be  determined  from  the  subexpression  links.  Thus  explicit  free  variable 
links  are  needed. 

The  semantic  modulation  inference  mechanisms  manipulate  bindings  of 
the  form  n  ^  r  where  n  is  a  variable  node.  A  binding  of  the  form  n  \~+  r 
can  be  viewed  as  an  instruction  to  set  the  value  of  the  variable  n  to  the 
node  r.  Changing  the  value  of  a  given  variable  forces  the  values  of  certain 
other  nodes  to  change.  In  ordinary  predicate  calculus  changing  the  value  of 
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a  variable  x  causes  changes  in  the  meanings  of  terms  that  contain  x  as  a 
free  variable;  the  meaning  of  expressions  which  do  not  contain  x  as  a  free 
variable  will  not  change  when  x  is  changed.  The  situation  in  Ontic  is  slightly 
more  complex.  Suppose  that  x  is  a  variable  ranging  over  sets  and  that  y  is 
a  variable  of  type  (MEMBER-OF  i).  In  this  case  changing  the  meaning  of  the 
variable  x  may  force  a  change  the  meaning  of  the  variable  y  even  though  x 
is  not  a  free  variable  of  y.  In  general  if  x  is  a  variable  which  appears  free  in 
the  type  node  of  of  another  variable  y  then  we  say  that  y  depends  on  x.  This 
notion  of  dependency  can  be  defined  in  terms  of  the  structure  of  a  variable 
graph. 


Definition:  Let  s  be  a  node  in  a  variable  graph  V  and  let  n  be 
a  variable  node  in  V.  We  say  that  n  is  a  free  variable  of  s  just 
in  case  V  contains  the  free  variable  link  n  s.  We  say  that  s 
depends  on  n  just  in  case  n  is  a  free  variable  of  s  or  there  is  some 
free  variable  n'  of  s  such  that  the  type  node  of  n'  depends  on  n. 

The  soundness  (or  validity)  of  the  semantic  modulation  inference  process 
relies  on  an  additional  property  of  graphs.  More  specifically,  the  soundness 
of  the  semantic  modulation  inference  process  requires  that  the  type  node  of 
a  variable  n  does  not  depend  on  n.  Intuitively  this  condition  allows  one  to 
assign  the  value  of  a  variable  without  changing  the  type  of  the  variable. 

Definition:  A  semantic  modulation  graph  S  is  a  variable  graph 
such  that  for  every  variable  node  n  the  type  node  of  n  does  not 
depend  on  n. 

In  addition  to  manipulating  truth  and  color  labels,  the  semantic  modu¬ 
lation  inference  process  manipulates  variable  bindings.  More  specifically,  a 
state  of  the  semantic  modulation  inference  process  contains  both  a  truth  and 
color  labeling  C  and  a  binding  set  /3  where  j3  contains  bindings  of  the  form 
n  i-*  r  where  n  is  a  variable  node. 


Definition:  Let  5  be  a  semantic  modulation  graph.  A  binding 
set  0  over  5  is  a  set  of  bindings  of  the  form  n  r  where  n  is 
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a  variable  node  and  r  is  any  node  in  S.  We  say  that  a  variable 
node  n  in  S  is  bound  under  3  if  /3  contains  a  binding  of  the  form 
n  i— ►  r.  If  n  is  not  bound  under  3  then  n  is  called  3 -free. 


In  order  to  define  the  inference  relation  on  semantic  modulation  graphs 
the  notion  of  dependence  needs  to  be  defined  relative  to  a  binding  set  3. 
Recall  that  if  s  depends  on  n  then  changing  the  value  of  n  may  force  a 
change  in  the  value  of  s.  Consider  a  binding  of  the  from  n  hh ►  r.  In  the 
presence  of  the  binding  n  i— ►  r  changing  the  value  of  r  forces  a  change  in 
the  value  of  n;  in  the  presence  of  the  binding  n  i— ►  r  the  variable  n  depends 
on  r.  This  observation  leads  to  the  notion  of  /3-dependence  where  3  is  any 
binding  set.  If  s  /3-depends  on  n  then,  in  the  presence  of  the  binding  set  3. 
changing  the  value  of  n  may  force  a  change  in  the  value  of  s.  The  precise 
semantic  significance  of  the  following  syntactic  definition  will  be  discussed  in 
more  detail  in  later  sections. 


Definition:  Let  3  be  a  binding  set  over  a  semantic  modulation 
graph  S. 

We  say  that  a  node  $  /3-depends  on  a  variable  node  n  if  one  of 
the  following  conditions  hold: 

•  n  is  a  free  variable  of  s. 

•  There  exists  a  free  variable  n'  of  s  such  that  n!  is  bound 
under  3  with  binding  n'  *-+  r  and  r  /3-depends  on  n. 

•  There  exists  a  free  variable  n'  of  s  such  that  n'  is  not  bound 
under  /3,  i.e.  is  3- free,  and  the  type  node  for  n'  /3-depends 
on  n. 


I  will  use  the  term  direct  dependence  to  refer  to  the  standard  notion  of 
dependence  as  distinct  from  /3-dependence.  If  3  is  empty  then  /3-dependence 
is  the  same  as  direct  dependence.  In  the  definition  of  /3-dependence  the 
presence  of  a  binding  of  the  form  n  i-+  r  causes  the  variable  node  n  to  be 
treated  as  a  copy  of  the  node  r. 
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The  inference  relation  — for  semantic  modulation  graphs  operates  on 
binding  labelings  where  each  binding  labeling  consists  of  a  truth  and  color 
labeling  together  with  a  binding  set. 


Definition:  Let  S  be  a  semantic  modulation  graph. 

A  truth  and  color  labeling  of  S  is  a  labeling  C  of  the  congruence 
constraint  graph  underlying  S. 

A  binding  labeling  T  of  S  consists  of  a  truth  and  color  labeling  C 
of  S  together  with  a  binding  set  0  over  S. 


Before  generating  a  binding  of  the  form  nnr  the  system  must  be  sure  ihat 
r  is  an  instance  of  the  type  of  n.  More  specifically,  for  any  given  truth  and 
color  labeling  C  and  any  node  r  it  is  possible  to  collect  a  set  of  types  known 
to  contain  r  as  an  instance.  These  types  are  called  the  established  types  for 
r. 


bf  Definition:  Let  £  be  a  truth  and  color  labeling  of  a  semantic 
modulation  graph  S  and  let  r  be  any  node  in  $.  The  set  of  £- 
established-type-nodes  for  r  is  the  least  set  of  type  nodes  satisfying 
the  following  conditions: 

•  If  there  exists  a  type  formula  link  p  r  :  m  in  S  such 
that  £  assigns  p  the  label  true  then  the  uode  m  is  an  £- 
established-type-node  for  r. 

•  If  r‘  is  a  node  which  is  assigned  the  same  color  as  r  under 
the  labeling  £  then  all  £-established-type-nodes  for  r'  are 
also  £-established-type-nodes  for  r. 

•  If  m  is  an  £-estabiished-type-node  for  r  and  m'  is  assignee 
the  same  color  as  m  under  £  then  m!  is  also  an  £-established- 
type-node  for  r. 

•  If  m  is  an  £-established-type-node  for  r  and  S  contains  a 
subtype  link  p  <=>  m  -<  ro'  such  that  £  assigns  p  the  label 
true  then  m'  is  an  £-established-type-node  for  r. 
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Before  generating  a  binding  of  the  form  n  ►-+  r  the  system  must  be  sure 
that  this  binding  can  be  satisfied.  For  example  suppose  that  n  ranges  over 
numbers  and  consider  the  binding  n  y-*  n  +  1.  This  binding  is  well  typed 
because  n  ranges  over  numbers  and  n  4-  1  is  always  a  number.  However  there 
is  no  interpretation  which  assigns  n  the  same  number  as  n  4-  1.  The  system 
ensures  that  a  binding  of  the  form  n  *-*  r  can  be  satisfied  by  checking  that 
r  does  not  depend  on  n,  i.e.  that  it  is  possible  to  set  the  value  of  n  to  the 
value  of  r  without  changing  the  value  of  r.  It  is  now  possible  to  define  the 
inference  relation  —>s  . 


Definition:  Let  T  be  a  binding  labeling  of  S  which  consists  of 
the  truth  and  color  labeling  C  and  the  binding  set  j3.  let  T 
be  a  binding  labeling  of  S  which  consists  of  the  truth  and  color 
labeling  C  and  the  binding  set  ,8'. 

We  write  T -*s  T*  if  C—*c  £  where  C  is  the  congruence  constraint 
graph  underlying  S  and  =  0'  or  if  there  exists  a  node  r  in  S , 
an  £-established- type- node  m  for  r,  a  variable  n  of  type  m  such 
that  the  following  conditions  hold: 


•  r  does  not  d-depend  on  n. 

•  n  is  iS-free  (i.e.  not  bound  under  fi). 

•  0'  =  r}  and  C  is  the  truth  and  color  labeling 

which  results  from  C  by  merging  the  equivalence  classes  of 
n  and  r. 


The  bindings  generated  by  —>s  can  not  be  deduced  from  information  in 
the  graph;  the  process  which  generates  bindings  is  non- deductive.  However 
it  is  possible  to  assign  semantic  meaning  to  binding  labelings  of  semantic 
modulation  graphs  in  such  a  way  that  the  relation  —>5  can  be  proven  to  be 
semanticallv  sound. 
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5.2  Semantic  Soundness 


This  section  proves  the  semantic  soundness  of  the  inference  relation  — . 
The  inference  relation  — ►$  is  fully  specified  in  section  5.1  and  those  readers 
not  interested  in  correctness  proofs  can  safely  ignore  this  section. 

Before  one  can  prove  a  soundness  theorem  for  the  relation  —*s  one  must 
define  a  semantics  for  semantic  modulation  graphs.  A  semantics  for  a  se¬ 
mantic  modulation  graph  is  a  set  of  possible  worlds  analogous  to  the  possible 
worlds  in  a  model  of  modal  logic.  Given  this  semantics  it  is  easy  to  state 
the  soundness  theorem  for  the  inference  relation  — >5  .  The  proof  of  the  -+5 
soundness  theorem  requires  the  notion  of  a  W-valid  binding  labeling;  the 
relation  -+5  preserves  the  W-validity  of  binding  labelings.  Unfortunately 
the  definition  of  a  W-valid  binding  labeling  is  fairly  complex.  Furthermore 
the  proof  that  —*$  preserves  W-validity  is  quite  long  and  has  been  relegated 
to  a  separate  section.  This  section  defines  the  semantics  of  semantic  modu¬ 
lation  graphs,  states  the  — >s  soundness  theorem,  and  defines  the  notion  of 
W-validity  which  is  preserved  by  — . 


5.2.1  Semantics 

Semantic  modulation  graphs  have  a  more  sophisticated  semantics  than  any 
of  the  graphs  used  for  purely  quantifier  free  inference.  The  soundness  results 
for  Boolean  constraint  graphs,  equality  constraint  graphs  and  congruence 
constraint  graphs  were  stated  in  terms  of  a  single  possible  world  w.  On  the 
other  hand  the  soundness  result  for  semantic  modulation  graphs  is  stated 
in  terms  of  a  set  W  of  possible  worlds.  The  set  W  of  possible  worlds  is 
analogous  to  a  semantic  model  of  a  modal  logic. 

The  graphs  generated  by  the  Ontic  compiler  have  an  intended  semantics 
which  is  a  special  case  of  the  general  semantics  defined  in  this  section.  Each 
node  in  a  graph  generated  by  the  Ontic  compiler  is  associated  with  an  expres¬ 
sion  in  the  formal  language  Ontic  Expressions  in  the  language  Ontic  have  a 
semantics  which  is  defined  in  terms  of  a  universe  of  sets.  More  specifically, 
the  meaning  of  an  Ontic  expression  is  defined  relative  to  a  universe  and  an 


interpretation  of  each  variable  as  an  object  in  that  universe  which  is  an  in¬ 
stance  of  the  type  of  the  variable.  Consider  a  fixed  universe  and  consider  all 
the  type-respecting  variable  interpretations  over  that  universe.  Each  tvpe- 
respecting  variable  interpretation  over  a  fixed  universe  determines  a  truth 
value  for  every  Ontic  formula  and  a  meaning  (value)  for  every  Ontic  expres¬ 
sion.  The  meanings  can  be  treated  as  colors  and  thus  each  type-respecting 
variable  interpretation  provides  a  truth  and  color  labeling  the  graph  gener¬ 
ated  by  the  Ontic  compiler.  Each  such  truth  and  color  labeling  is  complete  in 
that  every  formula  node  has  a  truth  label.  The  set  of  truth  and  color  label¬ 
ings  that  correspond  to  the  different  type-respecting  variable  interpretations 
over  a  fixed  universe  determines  a  set  W  of  possible  worlds. 


Definition:  Let  S  be  a  semantic  modulation  graph, 

A  semantics  for  for  S  is  a  set  W  of  possible  worlds  (complete 
truth  and  color  labelings)  for  nodes  in  S  together  with  a  binary 
relation  on  the  color  labels  that  appear  in  words  in  W. 

The  semantic  domain  of  a  semantics  W  for  S  is  the  set  of  all 
color  labels  which  appear  in  the  worlds  in  W. 

If  c  and  d  are  colors  in  the  semantic  domain  of  a  semantics  W 
and  if  c:d  (i.e.  c  is  related  to  d  under  the  relation  “:”)  then  we 
say  that  c  is  an  instance  of  the  type  color  d. 


A  color  c  in  the  semantic  domain  of  a  semantics  W  is  called  a  type  color  if 
there  exists  a  type  node  m  and  a  world  w  in  W  such  that  m  has  color  c  in  w. 
The  relation  on  colors  allows  a  type  color  (or  any  color)  to  be  viewed  as  a 
set.  More  specifically  a  type  color  c  can  be  viewed  as  the  set  of  all  instances 
of  c.  Worlds  assign  colors  to  type  nodes.  Thus  each  world  provides  a  waj  of 
interpreting  each  type  node  as  a  set;  the  set  associated  with  type  node  m  in 
world  w  is  the  set  of  all  instances  of  the  color  of  m  in  w.  Note  that  the  set 
associated  with  a  given  type  node  can  be  different  in  different  worlds. 


Definition:  The  color  c  is  said  to  be  an  instance  of  a  type  node 
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m  in  a  world  w  just  in  case  c :  cm  where  c m  is  the  color  of  m  in 
the  world  w. 

A  type  node  m  is  said  to  be  a  subtype  of  a  type  node  m'  in  world 
w  just  in  case  every  instance  of  m  in  u>  is  also  an  instance  of  m' 
in  w. 

V  ariables  are  nodes  whose  interpretation  can  be  varied.  More  specifically 
suppose  that  n  is  a  variable  node  with  type  node  m.  Furthermore  suppose 
that  w  is  a  world  such  that  c  is  an  instance  of  the  type  of  m  in  w.  In  this  case 
it  should  be  possible  in  interpret  the  variable  n  as  the  color  c,  i.e.  one  should 
be  able  to  assign  n  the  value  c.  Changing  the  interpretation  of  a  variable  n 
forces  changes  in  the  interpretation  of  expressions  that  depend  on  n.  These 
intuitions  are  formally  captured  in  the  following  semantic  definition  of  an 
assignment. 


Definition:  Let  VV  be  a  semantics  for  a  semantic  modulation 
graph  5. 

We  say  that  two  worlds  w  and  w'  in  W  agree  on  a  node  s  if  w 
and  w'  assign  s  the  same  color  label  and  if  s  is  a  formula  node 
then  w  and  w'  assign  s  the  same  truth  label. 

Let  n  be  a  variable  node  in  S,  let  c  be  a  color  in  the  semantic 
domain  of  W,  and  let  w  be  any  world  in  W.  An  assignment  of 
n  to  c  in  w  is  a  world  u>[n  :=  c]  which  assigns  n  the  color  c  and 
which  agrees  with  w  on  all  nodes  that  do  not  depend  on  n. 

The  links  in  a  semantic  modulation  graph  can  be  viewed  as  constraints 
on  possible  worlds.  More  specifically  a  semantics  W  is  called  a  satisfactory 
semantics  for  a  semantic  modulation  graph  5  if  the  information  in  the  links 
in  S  holds  true  under  the  semantics  W. 


Definition:  We  say  that  a  semantics  W  for  a  semantic  modu¬ 
lation  graph  S  is  a  satisfactory  semantics  for  S  if  the  following 
conditions  hold: 
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•  Every  world  in  W  satisfies  the  congruence  constraint  graph 
underlying  S. 

•  The  labels  of  a  node  are  determined  by  the  labels  of  the 
free  variables  of  that  node,  i.e  if  w  and  w'  are  two  worlds  in 
VV  such  that  w  and  w'  agree  on  all  free  variables  of  a  node 
s,  then  w  and  w'  agree  on  s  (in  particular  if  s  has  no  free 
variables  then  all  worlds  in  W  must  agree  on  s). 

•  If  p  r:m  is  a  type  formula  link  in  S  and  w  is  a  world  in 
W  then  w  assigns  p  the  label  true  just  in  case  the  color  of 
r  in  w  is  an  instance  of  m  in  w. 

•  If  p  ^  m  -<  m'  is  a  subtype  link  in  S  and  w  is  a  world  in  VV 
then  w  assigns  p  the  label  true  just  in  case  m  is  a  subtype 
of  m‘  in  W. 

•  If  n  is  a  variable  node  of  type  m  and  c  is  an  instance  of  m 
in  a  world  w  then  W  contains  an  assignment  w[n  :=•  c]  of  n 
to  c  in  in. 

It  is  now  possible  to  state  the  main  soundness  theorem  of  this  section.  The 
proof  of  this  theorem  is  long  and  complex  and  is  given  in  the  next  section. 


—*s  Soundness  Theorem:  Let  W  be  a  satisfactory  semantics 
for  a  semantic  modulation  graph  S.  Let  T  be  a  binding  labeling 
with  an  empty  binding  set  such  that  every  world  in  W  satisfies 
the  truth  and  color  labeling  of  T.  Now  suppose  T  *  T'  where 
T'  has  binding  set  d  and  labeling  £'.  If  p  is  a  formula  node  that 
is  labeled  true  under  C\  and  p  does  not  depend  on  any  variable 
bound  under  0,  then  p  must  be  labeled  true  in  all  worlds  in  W. 


5.2.2  The  Proof  of  the  —>s  Soundness  Theorem 

The  proof  of  the  semantic  modulation  soundness  theorem  relies  on  the  con¬ 
struction  of  a  complex  property,  or  induction  hypothesis,  that  is  preserved 
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under  the  relation  —>s  •  More  specifically,  given  a  satisfactory  semantics  W 
for  a  semantic  modulation  graph  S  we  define  the  notion  of  a  W-valid  bind¬ 
ing  labeling  and  prove  that  — preserves  W-validity.  A  binding  labeling 
is  W-valid  if  its  binding  set  is  W-legal  and  the  equations  represented  by  its 
binding  set  imply  the  constraints  in  its  labeling.  The  notion  of  a  W-legal 
binding  set  is  quite  complex.  First  of  all  every  W-legal  binding  set  must  be 
universally  satisfiable  in  the  following  sense. 


Definition:  Let  W  be  a  satisfactory  semantics  for  a  semantic 
modulation  graph  S  and  let  /?  be  a  binding  set  over  S. 

A  world  w  in  W  satisfies  the  binding  /?  if  for  every  binding  nnr 
in  /?,  the  world  w  assigns  n  and  r  the  same  color  label. 

The  binding  set  /3  is  W -universally-satisfiable  if  for  every  world  w 
in  W  the  semantics  W  also  contains  a  world  w[(3]  such  that  w[fi] 
satisfies  (3  and  agrees  with  w  on  all  nodes  that  do  not  depend  on 
any  variable  bound  under  ft. 

It  is  interesting  to  note  that  a  binding  set  can  be  type  respecting  but  still 
not  be  universally  satisfiable  in  the  above  sense.  For  example  suppose  that  n 
is  a  variable  node  that  ranges  over  all  numbers.  The  expression  n  +  1  always 
denotes  a  number.  Thus  the  binding  n  i— ►  n  +  1  is  type  respecting.  However 
there  is  no  world  in  which  n  equals  n  +  1  and  so  the  binding  n  i~+  n  +  1  is 
not  satisfiable. 

If  one  could  prove  that  — *s  preserves  the  universal  satisfiability  of  binding 
sets  and  preserves  the  fact  that  a  binding  labeling’s  binding  set  implies  the 
constraints  in  its  labeling  then  one  could  prove  the  —>5  soundness  theorem. 
Unfortunately  the  notion  of  a  universally  satisfiable  binding  set  does  not 
provide  a  strong  enough  induction  hypothesis;  to  prove  that  ~*s  preserves 
the  universal  satisfiability  of  binding  sets  it  is  necessary  to  prove  that  —>5 
preserves  a  stronger  property  of  binding  contexts.  This  stronger  property  is 
called  W-iegality.  Before  defining  W-legality  however  we  need  the  notion  of  a 
/3-assignment.  In  the  presence  of  a  binding  set  j3  we  are  only  concerned  with 
those  worlds  that  satisfy  0.  More  specifically  if  w  is  a  world  that  satisfies  j3 
then  we  are  interested  in  finding  assignments  w[n  :=  c]  that  also  satisfy  /?. 
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Definition:  Let  0  be  a  binding  set  over  a  semantic  modulation 
graph  S  and  let  w  be  a  world  in  a  satisfactory  semantics  W  for 
S .  Let  n  be  a  variable  node  in  $  and  let  c  be  a  color  in  the 
semantic  domain  of  W.  A  0 -assignment  of  n  to  c  in  w  is  a  world 
u’f 0,  n  :=  c]  which  satisfies  0,  assigns  n  the  color  c,  and  which 
agrees  with  w  on  all  nodes  that  do  not  /3-depend  on  n. 


Of  course  the  above  definition  does  not  guarantee  that  that  /^-assignments 
exist  whenever  c  is  an  instance  of  the  type  of  n.  It  turns  out  however  that  — »5 
preserves  the  property  that  if  n  is  not  bound  under  0  then  /3-assignments 
exist  for  n.  Recall  that  variables  which  are  not  bound  under  0  are  called 
/3-free. 


Definition:  Let  0  be  a  binding  set  over  a  semantic  modulation 
graph  $  and  let  W  be  a  satisfactory  semantics  for  S.  We  say 
that  0-assignments  exist  in  W  if  for  every  world  w  in  W,  every 
/3-free  variable  node  n  in  <S,  and  every  instance  c  of  the  type  of  n 
in  world  w  under  semantics  W,  the  semantics  W  also  contains  a 
/3-assignment  w[0,  n  :=  c]  of  n  to  c  in  w. 


There  are  universally  satisfiable  binding  sets  which  do  not  have  the  prop¬ 
erty  that  /3-assignments  exist.  However,  the  existence  of  /3-assignments  is 
one  of  the  properties  preserved  under  the  relation  -+$  .  The  relation  — *■$ 
preserves  a  property  called  W-legality.  A  binding  set  0  is  W-legal  if  it  is 
universally  satisfiable,  /3-assignments  exist,  and  there  are  not  /3-dependency 
loops  as  defined  below. 


Definition:  Let  W  be  a  satisfactory  semantics  for  a  semantic 
modulation  graph  5,  let  0  be  a  binding  set  over  S. 

A  0 -dependency-loop  is  a  variable  node  n  such  that  either  n  is 
bound  under  0  with  binding  tu-*r  and  r  /3-depends  on  n  or  n  is 
/3-free  and  the  type  node  of  n  /3-depends  on  n. 
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We  say  that  the  binding  set  (3  is  W’ -legal  if  there  are  no  /in¬ 
dependency  loops,  /?  is  W-universally-satisfiable,  and  ft- assignments 
exist  in  W. 


The  notion  of  a  VV-legal  b'nding  set  leads  to  the  notion  of  a  W’-valid 
binding  labeling.  A  binding  labeling  is  W-valid  if  its  binding  set  is  W-legal 
and  its  color  and  truth  labeling  is  implied  by  its  binding  set,  i.e.  every  world 
which  satisfies  its  binding  set  also  satisfies  its  labeling. 


Definition:  Let  W  be  a  satisfactory  semantics  for  a  semantic 
modulation  graph  S.  A  binding  labeling  T  is  called  W-valid  if 
the  binding  set  of  T  is  W-legal  and  every  world  in  W  which 
satisfies  the  binding  set  of  T  also  satisfies  the  labeling  of  T. 


It  is  now  possible  to  state  the  main  theorem  of  this  section:  the  relation 
preserves  W- validity. 


— *s  Preservation  Theorem:  Let  W  be  a  satisfactory  seman¬ 
tics  for  a  semantic  modulation  graph  5.  If  T  is  a  W-valid  binding 
labeling  and  T  — *s  T',  then  T'  is  also  W- valid. 


Before  giving  the  proof  of  the  — >s  preservation  theorem  it  is  important  to 
note  that  the  ~*s  preservation  theorem  implies  the  —>$  soundness  theorem. 
More  specifically  consider  an  initial  binding  labeling  T,  i.e.  a  binding  labeling 
with  an  empty  binding  set  and  such  that  every  world  in  the  satisfactory 
semantics  W  satisfies  the  labeling  of  T.  It  is  easy  to  show  that  any  such 
initial  binding  labeling  is  W-valid.  Now  suppose  T  ~+s  *  T'  and  consider  a 
formula  node  p  which  is  labeled  true  under  the  labeling  of  T'  and  such  that 
p  does  not  (directly)  depend  on  any  variable  bound  under  the  binding  set 
of  T\  We  must  show  that  the  inference  relation  —*5  is  sound  in  the  sense 
that  under  these  conditions  all  worlds  in  W  label  p  true.  To  prove  the  —*s 
soundness  theorem  we  must  show  that  all  worlds  in  W  label  p  true.  Consider 
any  world  w  in  W.  The  —*s  preservation  theorem  implies  that  T1  is  W-valid 
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and  thus  the  binding  set  of  T'  is  W-legal.  Let  (3  be  the  binding  set  of  T'  the 
binding  set  0  is  universally  satisfiable  and  so  there  exists  a  world  w{0]  that 
satisfies  0  and  that  agrees  with  w  on  all  nodes  that  do  not  (directly)  depend 
on  variables  bound  under  0.  Since  T  is  W-valid,  and  since  w[0]  satisfies  0 , 
iq/3]  satisfies  the  labeling  C  which  labels  p  true.  Thus  w[0)  labels  p  true. 
But  since  p  does  not  depend  on  any  variables  bound  under  3.  u>[/3]  must 
agree  with  w  on  p.  Thus  w  must  label  p  true.  Thus  the  —*s  preservation 
theorem  implies  the  — >s  soundness  theorem. 


5.3  Proof  of  the  — Preservation  Theorem 

This  section  can  safely  be  ignored  by  those  readers  not  interested  in  correct¬ 
ness  proofs. 

The  proof  of  the  — preservation  theorem  is  fairly  long  and  complex. 
Most  of  the  complexity  of  this  theorem  results  from  the  definition  of  (in¬ 
dependence.  The  above  definition  of  /3-dependence  implies  that  ^-dependence 
is  non-monotonic  in  /?;  the  addition  of  a  binding  n  r  can  remove  as  well 
as  add  dependencies.  In  particular,  suppose  a  directly  depends  on  n,  i.e. 
•s  depends  on  n  relative  to  the  empty  binding  set.  Further  suppose  that  n 
directly  depends  on  n'.  This  this  case  a  depends  on  n'  in  such  a  way  that 
the  dependency  from  s  to  n'  passes  through  the  node  n.  If  the  dependency 
from  s  to  n'  passes  through  the  node  n  then  the  binding  n  r  can  “erase” 
this  dependency;  it  is  possible  that  s  /3-depends  on  n'  when  0  is  empty  but 
s  does  not  /3-depend  on  n'  if  0  consists  of  the  single  binding  nwr.  Thus 
the  /3-dependence  relation  is  non- monotonic  in  /3;  adding  bindings  to  0  can 
remove  dependencies. 

There  is  a  simpler,  monotonic,  notion  of  /3-dependence  which  I  will  call 
weak-/3-dependence.  A  node  s  weakly-/3-depends  on  a  variable  n  if  either  s 
directly  depends  on  n  or  there  is  a  binding  n'  ►-+  r  in  0  such  that  s  weakly- 
/3-depends  on  n'  and  r  weakly-/3-depends  on  n.  In  the  current  discussion  I 
will  use  the  term  strong- /3-dependence  to  refer  to  the  notion  of  /3-dependence 
that  has  been  used  used  in  the  definition  of  and  the  definition  of  a  W- 
legal  binding  set.  Strong-/3-dependence  implies  weak-/3-dependence  but  the 
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converse  does  not  hold;  it  is  possible  that  s  weakly-/3-depends  on  n  but  that 
s  does  not  strongly-/3-depend  on  n.  Weak- 3-dependence  is  monotonic  in  /? ; 
adding  bindings  monotonically  increases  dependencies. 

If  weak-, 3-dependence  had  been  used  rather  than  strong-3-dependence 
the  relation  — *$  would  still  preserve  W-validity  and  the  proof  of  the  preser¬ 
vation  theorem  would  be  much  simpler.  Unfortunately  tne  use  of  weak-3- 
dependence  would  not  allow  a s  many  bindings  under  the  relation  —>5  .  Fur¬ 
thermore,  strong-3'dependence  provides  a  stronger  universal  generalization 
inference  mechanism.  Universal  generalization  is  discussed  later. 

Under  strong-, 3-dependence  the  proof  of  the  —*$  preservation  theorem 
is  long  and  complex.  The  proof  is  divided  into  four  parts.  The  first  two 
parts  introduce  two  concepts  needed  in  the  proof:  3-dependency-pa-hs  and 
minimal-assignments.  The  third  part  contains  the  proof  itself.  This  proof 
relies  on  the  first  minimal  assignment  lemma  which  is  stated  but  not  proven 
in  the  section  on  minimal  assignments.  The  fourth  part  of  the  proof  consists 
of  a  proof  of  the  first  minimal  assignment  lemma. 


5,3.1  /5-Dependency-Paths 

Before  proving  the  — preservation  theorem  it  is  useful  to  prove  certain 
lemmas  involving  the  notion  of  (strong)  /^dependence.  The  following  def¬ 
inition  and  lemma  provide  an  alternative  characterization  of  the  notion  /?- 
dependence. 


Definition:  Let  3  be  a  binding  set  over  a  semantic  modulation 
graph  <3.  A  3'dependency-path  is  a  sequence  <nx,  n2>  •••«*> 
each  rii  is  a  variable  node  and  for  each  pair  n,-,  ni+1  in  the  path 
one  of  the  following  two  conditions  hold. 

•  rii  is  3-free  and  n.+i  is  a  free  variable  of  the  type  node  of  m. 

•  nt-  is  bound  under  3  by  virtue  of  the  binding  n,  t->  r  and 
m+i  is  a  free  variable  of  the  node  r. 
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If  s  is  node  in  S  such  that  n  i  is  a  free  variable  of  s  then  the  0- 
dependency-path  <n i,  n 2,  .. .  nt>  is  said  to  be  a  /5-dependency- 
path  from  node  s  to  the  variable  ru. 

Lemma:  If  0  is  a  binding  set  over  a  semantic  modulation  graph 
tS,  s  is  any  rnde  in  S ,  and  n  is  a  variable  node  in  S  then  -s  3- 
depends  on  a  n  just  in  case  there  exists  a  0- dependency- path  from 
■s  to  n. 

Lemma:  There  are  no  /3-dependency-loops  just  in  case  there  is 
no  /3-dependency-path  of  length  greater  than  1  that  begins  and 
ends  with  the  same  variable  node. 


The  characterization  of  /3-dependence  in  terms  of  /3-dependency  paths 
makes  it  easier  to  verify  certain  facts  about  ^-dependency.  The  following 
lemma  precisely  characterizes  the  non-monotonic  nature  of  /3-dependency. 
This  non-monotonicity  lemma  is  will  be  important  in  the  proof  of  the  —*s 
preservation  theorem. 


Non-Monotonicity  Lemma:  Let  /3  be  a  binding  set  over  a 
semantic  modulation  graph  S.  Let  n  h  r  be  a  binding  such  that 
r  does  not  /3-depend  on  n  and  let  0'  be  the  binding  set  which 
results  from  adding  the  binding  rt  t-+  r  to  0.  Now  let  s  be  any 
node  and  let  n'  be  any  variable  node.  If  s  /3-depends  on  n'  but  s 
does  not  /3'-depend  on  n'  then  every  ^-dependency  path  form  s 
to  n'  must  include  n  and  r  must  not  /3-depend  on  n'. 

Proof:  Suppose  s  /3-depends  on  n'  but  that  s  does  not  /3'-depend 
on  n'.  It  is  easy  to  show  that  every  /3-dependency  path  from  s  to 
n'  includes  n.  More  specifically  if  there  existed  a  ,3-dependency- 
path  from  s  to  n'  that  does  not  include  n  then,  this  path  will 
also  be  a  /3'-dependency-path  and  thus  s  would  /3f-depend  on  n' . 
Now  I  will  show  that  r  does  not  /3-depend  on  n' .  Suppose  r  did 
/3-depend  on  n'.  In  this  case  there  exists  a  /3-dependency- path 
from  r  to  n' .  The  conditions  of  the  lemma  state  that  r  does  not 
/3-depend  on  n  and  thus  the  0- dependency  path  from  r  to  n'  does 
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not  include  n.  Thus  this  path  is  also  a  /^'-dependency  path  and 
so  r  also  /3'-depends  on  n\  Furthermore,  since  s  /^-depends  on  n' 
there  must  exist  a  /3-dependency-path  from  s  to  n‘  and,  by  the 
above  comments,  any  such  path  must  include  n.  Consider  the 
shortest  possible  /^-dependency  path  from  r  to  n.  This  path  only 
involves  n  as  the  last  node  in  the  path  and  thus  it  is  also  a  3'- 
dependency  path.  The  /?'-dependency-paths  from  s  to  n  and  from 
r  to  n'  can  be  combined  to  yield  a  /3'-dependency-path  from  s  to 
n'.  But  this  violates  the  assumption  that  s  does  not  /J'-depend 
on  n'.  Thus  r  must  not  /3-depend  on  n' . 

5.3.2  Minimal-/?-  Assignments 

Intuitively  one  would  like  an  assignment  of  the  form  n  :=  c  to  alter  as  few 
nodes  as  possible.  For  example  suppose  that  n  is  a  variable  node  that  ranges 
over  numbers  and  that  n'  is  a  variable  node  that  ranges  over  numbers  which 
are  greater  than  n.  Since  n  is  a  free  variable  of  the  type  of  n',  the  variable 
node  n'  depends  on  the  variable  node  n.  Now  suppose  w  is  a  world  in  which 
n  is  2  and  n'  is  5  and  consider  the  assignment  n  :=  4.  Since  n'  depends 
on  n  the  assignment  n  :=  4  is  allowed  to  change  the  value  of  n'.  In  this 
case  however  such  a  change  is  not  needed;  the  old  value  of  n\  the  number 
5,  is  still  an  instance  of  the  type  of  n'  when  n  is  set  to  the  number  4.  A 
minimal- /3-assignment  is  a  ^-assignment  that  changes  only  those  parameters 
whose  values  must  be  changed. 

Definition:  Let  0  be  any  binding  context  over  a  semantic  mod¬ 
ulation  graph  S  and  let  n  be  any  variable  node  in  5.  A  0- 
suptrvariable  of  n  is  defined  to  be  any  /?-free  variable  other  than 
n  that  /3-depends  on  n. 

Let  0  be  a  binding  set  over  a  semantic  modulation  graph  5,  let 
w  be  a  world  in  a  satisfactory  semantics  W  for  5,  let  r  be  a 
/3-free  variable  node  in  iS  and  let  c  be  an  instance  of  the  type 
of  n  in  world  w  under  semantics  W.  A  minimal- 0 -assignment 
u>[0,  n  :=  c]  of  n  to  c  in  world  w  is  a  /Lcssignment  w[0,  n  c ] 
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of  n  to  c  in  w  such  that  if  n'  is  a  /3-supervariable  of  n  and  the 
color  of  n'  under  w  is  an  instance  of  the  type  of  n'  in  w[fi,  n  :=  c] 
then  w[)3,  n  :=  c]  agrees  with  w  on  n'. 


Let  R  be  a  binding  set  over  a  semantic  modulation  graph  S  and 
let  VV  be  a  satisfactory  semantics  for  S.  We  say  that  minimal- 
3-assignments  exist  in  VV  if  for  every  world  w  in  W,  every  ,3-free 
variable  node  n  in  S  and  every  instance  c  of  the  type  of  n  in 
w  under  semantics  W\  the  semantics  W  contains  a  minimal- /3- 


assignment  of  n  to  c  in  w. 


First  Minimal  Assignment  Lemma:  Let  /?  be  a  binding  set 
over  a  semantic  modulation  graph  S  and  let  W  be  a  satisfactory 
semantics  for  S.  If  ^-assignments  exist  in  W  and  there  are  no 
/3-dependency  loops  then  minimal-/3-assignments  exist  in  W. 


The  first  minimal  assignment  lemma  is  prov  ed  by  via  a  conceptual  pro¬ 
cedure  for  constructing  minimal  assignments.  A  minimal  assignment  can  be 
found  by  first  making  an  arbitrary  assignment  and  then  “fixing  up”  the  su¬ 
pervariables  that  were  needlessly  changed  by  the  assignment.  The  full  proof 
of  the  first  minimal  assignment  lemma  is  fairly  long  and  cumbersome  and  is 
relegated  to  its  own  section  so  that  it  can  be  easily  avoided  by  the  reader. 


Second  Minimal  Assignment  Lemma:  Let  j3  be  a  binding 
set  over  a  semantic  modulation  graph  S.  Let  w  be  a  world  in  a 
satisfactory  semantics  W  for  S  such  that  w  satisfies  /5.  Let  n  be 
a  variable  node  in  S,  let  c  be  a  color  in  the  semantic  domain  of 
W  and  let  w[0,  n  :=  c]  be  a  member  of  W  that  is  a  minimal-/?- 
assignment  of  n  to  c  in  w.  If  s  is  a  node  in  S  such  that  w  and 
w[l3,  n  :=  c]  disagree  on  s,  and  if  there  are  no  /3-dependency  loops 
then  there  exists  a  /3-dependency-path  from  s  to  n  such  that  w 
and  w[j3,  n  :=  c]  disagree  on  every  node  in  that  path. 


Proof:  If  there  are  no  /3-dependency-loops  then  no  /3-dependency 
path  is  longer  than  the  number  of  nodes  in  the  graph  S.  Thus 
there  is  an  absolute  maximum  length  for  /3-dependency-paths. 
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For  any  member  5  of  D  let  the  0  -path- distance  from  5  to  n  be  the 
maximum  length  of  any  /J-dependency-path  from  s  to  n. 

Let  D  be  the  set  of  all  nodes  s  such  that  w  and  w[0,  n  :=  c) 
disagree  on  s.  Since  u;[3,  n  :=  c]  is  a  d-assignment  of  n  to  c  in 
w,  if  w  and  n  :=  c]  disagree  on  s  then  s  must  ^-depend 

on  n.  Thus  if  s  is  in  D  then  there  exists  a  0-  dependency-path 
from  s  to  n.  Now  consider  an  arbitrary  member  a  of  D.  We 
must  show  that  there  exists  a  d-dependency-path  from  s  to  n 
such  that  the  entire  path  is  contained  in  D.  It  suffices  to  show 
that  there  exists  a  d-dependency-path  contained  entirely  in  D 
from  s  to  some  node  closer  to  n;  a  path  in  D  from  s  to  n  can 
be  constructed  from  smaller  paths  that  always  get  closer  to  n. 
Since  W  is  a  satisfactory  semantics  for  S  the  labels  of  a  node 
are  determined  by  the  color  labels  of  the  free  variables  of  that 
node.  Thus  if  s  is  in  D ,  i.e.  if  w  and  w[0,  n  c]  disagree  on  s, 
then  there  must  be  some  free  variable  n'  of  s  which  is  also  in  D. 
Furthermore  the  /Tpath-distance  from  n'  to  n  must  less  than  or 
equal  to  the  /?-*vth-distance  from  s  to  n.  If  tl'  equals  n  then  the 
singleton  path  <n'>  is  a  ^-dependency-path  from  s  to  n  which 
is  contained  entirely  in  D.  So  suppose  n'  is  not  equal  to  n.  Now 
there  are  two  cases.  First  suppose  that  0  contains  a  binding  of 
the  form  n'  r.  Since  both  w  and  w[0,  n  c]  satisfy  0  both 

worlds  assign  the  same  color  to  n'  and  r  and  since  n'  is  in  £>, 

r  must  be  in  D.  But  since  r  is  in  D  some  free  variable  n"  of  r 
must  be  in  D.  But  <«',  n">  is  a  ^-dependency  path  contained 
entirely  in  D  from  s  to  n"  and  n"  must  be  closer  to  n  than  s  under 
^-path-distance.  Now  suppose  that  n'  is  0-fiee.  In  this  case  n' 
is  a  0- supervariable  of  n.  Furthermore  since  n'  is  in  D  and  since 
w[0,  n  :=  c]  is  a  minimal- /^-assignment  of  n  to  c  in  w,  the  color  of 
nr  in  w[0,  n  c]  must  not  be  an  instance  of  the  type  of  n  in  w. 

This  implies  that  the  type  of  n'  in  w{0 ,  n  :=  c]  is  different  from 

the  type  of  n'  in  w.  But  since  W  is  a  satisfactory  semantics  the 
type  of  a  variable  is  determined  by  the  color  of  the  type  node  of 
that  variable.  Thus  the  type  node  of  n'  must  be  in  D.  But  this 
implies  that  some  free  variable  n"  of  the  type  node  of  n'  is  also 
\u  D.  In  this  case  <n',  is  the  desired  ^-dependency-path  in 
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D  from  5  to  a  node  which  is  closer  to  n  under  /Tpatn-disiance. 


5.3.3  The  —+5  Preservation  Theorem 

Except  for  the  proof  of  the  first  minimal  assignment  lemma,  the  ground¬ 
work  has  now  been  laid  for  the  proof  of  the  —>5  preservation  theorem.  The 
theorem  uses  a  simple  lemma  about  £-established-iype-nodes. 


Lemma:  Let  VV  be  a  satisfactory  semantics  for  a  semantic  mod¬ 
ulation  graph  S ,  let  £  be  a  truth  and  color  labeling  of  S  and  let  ie 
be  a  world  in  VV  such  that  w  satisfies  £.  If  m  is  an  £-established- 
type-node  for  a  node  r  of  S  then  the  color  of  r  in  the  world  w  is 
an  instance  of  m  in  w. 


The  above  lemma  follows  directly  from  the  definition  of  a  £-established- 
tvpe-node  and  the  definition  of  a  satisfactory  semantics  for  a  semantic  mod¬ 
ulation  graph;  the  proof  is  left  to  the  reader.  Given  this  lemma  we  can  now 
prove  the  — >-5  preservation  theorem. 


Proof  of  the  — *•$  Preservation  Theorem:  Suppose  that  T  is 
W- valid  and  that  T  — *s  T ■  We  must  show  that  T‘  is  VV- valid. 
First  suppose  that  the  binding  set  of  T'  is  the  same  as  the  binding 
set  of  T.  In  this  case  let  3  be  the  binding  set  of  T  and  let  £  and 
£'  be  the  labelings  of  T  and  T'  respectively.  Since  the  binding 
set  of  T'  also  equals  3  it  is  clear  that  the  binding  set  of  T'  is 
W-legal.  Now  let  u?  be  any  world  in  W  that  satisfies  j3.  To  show 
that  T'  is  W-valid  it  suffices  to  show  that  w  satisfies  £'.  Because 
T  is  W-valid,  w  must  satisfy  £.  Furthermore  it  follows  from  the 
definition  of  —*$  that  if  the  binding  set  of  T  equals  the  binding 
set  of  T'  then  £-+c  £'  where  C  is  the  congruence  constraint  graph 
underlying  S.  But  now'  the  soundness  of  — *c  implies  w  satisfies 
£'. 
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Now  suppose  that  the  binding  set  of  T'  is  different  from  the 
binding  set  of  T.  Let  0  and  0'  be  the  binding  set  of  T  and 
T'  respectively  and  let  £  and  £'  be  the  labelings  of  T  and  T' 
respectively.  It  follows  from  the  definition  of  — >$  that  (3 '  equals 
0[J{n  »— 1 ►  r}  where  n  is  a  /3-free  variable  of  type  m,  m  is  an 
£-established-type-node  for  r,  and  r  does  not  /3-depend  on  n. 

First  consider  any  world  w  that  satisfies  the  binding  set  0' . 
We  must  show  that  w  satisfies  C' .  Since  w  satisfies  0  it  must 
also  satisfy  the  labeling  C.  Since  w  satisfies  the  binding  n  t— >■  r 
it  must  assign  n  and  r  the  same  color.  Thus  w  must  assign  all 
nodes  which  are  equivalent  to  n  under  C  and  all  nodes  which  are 
equivalent  to  r  under  £  the  same  color.  The  labeling  £'  is  the 
labeling  derived  from  C  by  merging  the  equivalence  classes  of  n 
and  r.  Thus  w  satisfies  £'. 

Next  I  will  show  that,  there  are  no  /^'-dependency-loops.  The 
proof  is  by  contradiction.  Suppose  there  were  a  /?'-dependency- 
loop.  In  this  case  there  is  a  /3'- dependency- path  of  length  greater 
than  1  from  a  variable  node  to  itself,  i.e.  a  loop.  This  loop  must 
involve  the  node  n  because  otherwise  it  would  be  a  ^-dependency- 
loop  and  by  assumption  there  are  no  such  loops.  But  0'  contains 
the  binding  nnr  and  thus  if  there  exists  a  /?'-dependency-loop 
that  involves  n  there  must  exist  a  /^'-dependency  path  from  r  to 
n.  Consider  a  particular  /^'-dependency  path  from  r  to  n.  The 
node  n  might  occur  multiple  times  in  this  path.  Consider  the 
subpath  of  this  path  that  ends  with  the  first  occurance  of  n.  This 
subpath  is  a  ^-dependency  path.  But  by  assumption  there  are 
no  ^-dependency-paths  from  r  to  n. 

Now  I  will  show  that  0'  is  W-universally-satisfiable.  Let  w  be 
any  world  in  W.  Since  0  is  universally  satisfiable  there  exists  a 
world  w[0]  which  satisfies  0  and  which  agrees  with  w  on  all  nodes 
that  do  not  depend  on  any  variable  bound  under  0.  Because  T  is 
W-valid  and  w[0]  satisfies  0 ,  w[0\  must  also  satisfy  £.  Because 
m  is  an  £-established-type-node  for  r  and  w[0]  satisfies  C,  the 
color  of  r  in  w[0\  must  be  an  instance  of  m  in  w{0\.  Let  c  be 
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the  color  assigned  to  r  in  the  world  u?[/?].  Because  ^-assignments 
exist  there  exists  a  ^-assignment  w[0][0,  n  :=  c]  of  n  to  c  in  w\0\. 
Since  r  does  not  /3-depend  on  n  the  world  w[0\{0,  n  :=  c]  must 
assign  r  the  color  c.  Thus,  in  addition  to  satisfying  3,  the  world 
u'[d][J,  n  :=  c\  also  satisfies  the  binding  n  t-+  r  and  thus  this 
world  satisfies  3' .  It  remains  only  to  show  that  w\0][0,  n  :=  c] 
agrees  with  w  on  all  nodes  that  do  not  directly  depend  on  any 
variable  bound  under  3'-  Let  s  be  such  a  node.  There  does  not 
exist  any  direct  dependency  path  from  s  to  a  node  bound  under 
3'.  Therefore  there  can  not  exist  any  /?- dependency  path  from 
s  to  n  because  any  such  path  would  either  be  a  direct  path  or 
would  include  a  direct  path  to  some  node  bound  under  3' ■  Thus 
s  does  not  /^-depend  on  n  and  thus  t v[0][0,  n  :=  c]  and  w[0)  must 
agree  on  s.  But  by  the  definition  of  w[0],  tu[/3]  must  agree  with 
w  on  s. 

Finally  I  will  show  that  /^'-assignments  exist.  Let  w  be  any 
world  in  VV  that  satisfies  0\  let  n'  be  a  /9'-free  variable  and  let  c  be 
an  instance  ol  the  type  of  n'  in  the  world  w  under  the  semantics 
W.  vVe  must  construct  a  0'- assignment  tu[/?',  n'  :=  c]  of  n'  to  c 
in  w.  Recall  that  0'  differs  from  0  in  that  0'  contains  the  one 
additional  binding  nwr,  The  world  w[0'.  n'  :=  c]  is  constructed 
in  one  of  three  different  ways  depending  on  which,  if  any,  of  the 
nodes  n  and  r  /3-depend  on  n'.  In  all  three  cases  the  construction 
begins  by  considering  a  /^-assignment  w[0,  n'  :=  c]  of  n'  to  c  in 
iv.  Unfortunately  the  world  w[0 ,  n'  :=  c]  need  not  satisfy  the 
binding  n  i— ►  r,  Furthermore,  and  more  seriously,  in  one  of  the 
three  cases  /^-dependence  is  non-monotonic;  there  may  be  a  node 
s  which  /^-depends  on  n'  but  does  not  ^'-depend  on  n'.  In  this 
case  w[0,  n'  :=  c]  may  disagree  with  toon  s  even  though  s  does 
not  /^'-depend  on  n' . 

First  consider  the  case  where  neither  n  nor  r  /3-depend  on 
'  ice  W  is  a  satisfactory  semantics  for  S ,  W  contains  a  0- 
a.v>  __  ment  w[0,  ri  c]  of  n'  to  c  in  w.  In  this  case  w[0,  n'  :=  c] 
is  also  a  ^'-assignment  of  n'  to  c  in  w.  To  see  this  first  note  that 
w[0,  ri  :=  c]  satisfies  the  binding  n  >-»  r.  More  specifically,  by 
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assumption  w  satisfies  nwr  and  since  neither  n  nor  r  /3-depend 
on  n',  u'[/3,  n'  :=  c]  also  satisfies  n  1-4  r.  Furthermore  the  non¬ 
monotonicity  lemma  implies  that  in  this  case  every  node  which 
/3-depends  on  n'  also  d'-depends  on  n' .  Every  node  on  which  w 
and  1 v[Q,  n'  :=  c]  disagree  must  /3-depend  on  n'  and  therefore 
very  such  node  must  d'-depend  on  n1. 

Now  suppose  that  r  /3-depends  on  n' .  Since  (3  is  W-legal,  W 
contains  a  /3-assignment  w[(3,  n'  :=  c]  of  n'  to  c  in  w.  Since  T  is 
W-valid  and  since  w[0 ,  n'  :=  c ]  satisfies  /?,  the  world  uj[/3,  n'  :=  c] 
satisfies  C.  However  ui[/3,  n'  :=  c]  need  not  satisfy  the  binding 
n  <— ►  r;  the  assignment  to  n'  may  change  the  value  of  r.  In 
this  case  we  satisfy  the  binding  n  1— ►  r  by  reassigning  n.  More 
specifically  let  <v  be  the  color  assigned  to  r  in  the  world  w[/3,  n'  := 
c}.  Since  the  type  node  for  n  is  an  £-established- type-node  for 
r,  the  color  tv  must  be  an  instance  of  the  type  node  of  n  in  the 
world  u;[d,  n'  :=  c].  Thus  W  contains  a  ^-assignment  w[/3,  n'  := 
c][/3,  n  :=  tv]  of  n  to  cr  in  w[/3,  n '  :=  c],  I  will  show  that  w[j3,  n'  := 
c][d,  n  :=  tv]  is  the  desired  ^-assignment  of  n!  to  c  in  w.  Since 
r  does  not  /3-depend  on  n  the  world  w[/3,  n'  c][/3,  n  :=  cr] 
assigns  r  the  color  tv  and  thus  this  world  satisfies  the  binding 
n  y-+  r.  Furthermore  one  can  show  that  n'  does  not  /3-depend 
on  n.  More  specifically,  in  this  case  r  /?-depends  on  n'  so  if  n'  /3- 
depended  on  n  and  then  r  would  /3-depend  on  n  which  is  ruled  out 
by  the  conditions  governing  the  generation  of  bindings.  Since  n' 
does  not  /3-depend  on  n  the  world  u>[/3,  n'  c][/3,  n  :=  tv]  assigns 
n'  the  color  c.  Finally  consider  some  node  s  such  that  w[(3,  n' 
c][/3,  n  :=  tv]  disagrees  with  w  on  s.  We  must  show  that  3  /3'* 
depends  on  n'.  Note  that  in  this  case  either  w  and  m[/3,  n!  :=  c] 
disagree  on  s  or  w[j3,  n'  c]  and  w[/3,  n'  :=  c][/3,  n  :=  cr]  must 
disagree  on  3.  First  note  that  if  u/[/3,  n'  :=  c]  disagrees  with  w 
on  s  then  s  must  /3-depend  on  n'.  The  non-monotonicity  lemma 
implies  that  if  r  /3-depends  on  n'  then  every  node  which  /3-depends 
on  n'  also  /3'-depends  on  n'.  Thus  if  u;[/3,  n'  ;=  c]  disagrees  with 
w  on  3  then  s  /3'-depends  on  n' .  Now  suppose  that  iv[0,  n‘  :=  c] 
and  w[/3,  n'  :=  c][/3,  n  :=  cr]  disagree  on  s.  In  this  case  s  must  /3~ 
depend  on  n.  Furthermore,  one  can  show  that  s  ^'-depends  on  n; 
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since  there  are  no  /3-dependency-loops  a  ,/3-dependency-path  from 
s  to  n  involves  n  as  a  the  final  node  and  therefore  any  such  path 
is  also  a  /^'-dependency  path.  Furthermore,  since  r  /3-de pends  on 
n'  but  does  not  /3-depend  on  n  there  exists  a  /3-dependency  path 
from  r  to  n'  that  does  not  involve  n.  The  path  from  r  to  n'  is 
also  a  T'-dependency  path.  Thus  there  is  a  ^'-dependency  path 
from  s  to  n' . 

Now  consider  the  non-monotonic  case  where  n  /3-depends  on 
n'  but  r  does  not  /3-depend  on  n'.  Since  /3-assignments  exist  in 
W,  minimal  /3-assignments  also  exist  in  VV.  Thus  VV  contains  a 
minimal  ^-assignment  w[fi,  n'  :=  c]  of  n'  to  c  in  w.  I  will  show 
that  this  minimal  /3-assignment  is  the  desired  /^'-assignment  of 
n'  to  c  in  w.  Since  r  does  not  /3-depend  on  n'  the  worlds  w  and 
w[/3,  n'  :=  c]  agree  on  r;  let  c,  be  the  color  assigned  to  r  in  either 
world.  By  the  argument  given  above  c,  must  be  an  instance  of 
the  type  of  n  in  the  world  w[j. 3,  n'  :=  c].  Now  by  the  definition 
of  minimal-/3-assignments  the  world  U’[/3,  n'  :=  c]  must  assign  n 
the  color  c,.  Thus  w[/3,  ri  :=  c]  satisfies  the  binding  n  r. 
Now  consider  a  node  s  such  that  w  and  tu[/3,  n'  :=  c]  disagree 
on  s.  By  the  definition  of  /3-assignments  s  must  /3-depend  on 
n'.  Now  suppose  that  a  does  not  /3'-depend  on  n'.  In  this  case 
the  non-monotonicity  lemma  implies  that  every  /3-dependency- 
path  from  s  to  n‘  includes  the  node  n.  But  the  second  minimal 
assignment  lemma  implies  that  if  w  and  u>[/3,  n'  :=  c]  disagree  on 
a  then  there  exists  a  /3-dependency-path  from  s  to  n'  such  that 
w  and  tu[/3,  n'  :=  c]  disagree  on  every  node  in  the  path.  But 
this  is  impossible  because  every  /3-dependency-path  from  s  to  n' 
includes  n  and  it  has  been  shown  that  w  and  w[(3,  n'  :=  c]  agree 
on  n. 


5.3.4  Proof  of  the  First  Minimal  Assignment  Lemma 


Intuitively,  minimal-/3-assignments  exist  because  there  exists  a  conceptual 
procedure  for  constructing  them.  The  procedure  takes  an  arbitrary  assign- 
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ment  and  ‘‘fixes  up”  variables  that  were  unnecessarily  changed.  Variables 
are  fixed  up  using  a  recursive  procedure  for  targeted  assignment. 

Definition:  Let  0  be  a  binding  set  over  a  semantic  modulation 
graph  S.  Let  w  and  w'  be  worlds  in  a  satisfactory  semantics 
>V  for  5  such  that  both  w  and  w'  satisfy  0.  Let  n  be  a  /3-free 
variable  node,  let  c  be  an  instance  of  the  type  of  n  in  the  world 
w.  A  targeted-0 -assignment  of  n  to  c  in  w  with  target  w'  is  a 
.^-assignment  w[0,  n  :=  c]  of  n  to  c  in  w  such  that  if  n'  is  a  0- 
supervariables  of  n  and  the  color  of  n'  under  the  target  world  w' 
is  an  instance  of  the  type  of  n'  in  w{0,  n  :=  c]  then  w[0,  n  :=  c] 
agrees  with  the  target  w'  on  n'. 

A  procedure  for  computing  targeted  assignments  can  be  used  to  compute 
minimal  assignments;  a  minimal  assignment  is  just  a  targeted  assignment 
where  the  target  equals  the  world  in  which  the  assignment  is  done.  More 
specifically,  to  prove  the  first  minimal  assignment  lemma  it  suffices  to  prove 
that  targeted  assignments  exist. 


Definition:  Let  0  be  a  binding  set  over  a  semantic  modulation 
graph  <5,  let  W  be  a  satisfactory  semantics  for  S  and  let  n  be  a 
/3-free  variable  node  in  S. 

We  say  that  targeted-0 -assignments  exist  for  n  in  W  if  for  all 
worlds  w  and  w‘  in  W  and  all  colors  c  which  are  instances  of  the 
type  of  n  in  w  under  the  semantics  W,  the  semantics  W  contains 
a  targeted-/?-assignment  of  n  to  c  in  w  with  target  w'. 

We  say  that  targeied-0 -assignments  exist  in  VV  if  for  every  0-free 
variable  node  n  in  5  targeted-/?-assignments  exist  for  n  in  W. 

The  conceptual  procedure  for  computing  a  targeted  assignment  of  n  to  c 
takes  an  arbitrary  assignment  of  n  to  c  and  recursively  “fixes”  the  immediate- 
/?-supervariables  of  n.  Recall  that  a  /J-supervariable  of  n  is  a  /3-free  variable 
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node  n'  other  than  n  which  /3-depends  on  n.  If  there  are  on  /3-dependency- 
loops  then  the  notion  of  /3-dependence  determines  a  partial  order  on  variable 
nodes.  If  n'  /3-depends  on  n  then  we  can  picture  n'  as  being  above  n.  The 
immediate-/3-supervariablesof  n  are  the  least  members  (under  /3-dependence) 
of  the  /3-supervariables  of  n. 


Definition:  Let  0  be  a  binding  set  over  a  semantic  modulation 
graph  S.  Let  n  be  a  /3-free  variable  node  in  S. 

An  immediate- 0 -supervariable  of  n  is  a  /3-supervariable  n'  of  n 
such  that  there  is  no  variable  in  between  n'  and  n,  i.e.  there  is  no 
/3-supervariable  n"  of  n  such  that  n'  is  a  /3-supervariable  of  n". 

Observation:  No  two  immediate-/3-supervariables  of  n  /3-depend 
on  each  other,  i.e.  if  n'  and  n"  are  distinct  immediate- /3-supervariables 
of  n  then  n'  does  not  /3-depend  on  n". 

Observation:  If  there  are  no  /3-dependency-loops  then  every  0- 
supervariable  of  n  is  either  an  immediate- /3-supervariable  of  n  or 
is  a  /3-supervariable  of  some  immediate-/3-3upervariable  of  n. 


The  conceptual  procedure  for  recursively  computing  targeted  assignments 
always  terminates  because  the  recursive  calls  always  involve  variables  of  lower 
depth  and  no  variable  has  depth  less  than  1.  The  depth  of  a  variable  is  defined 
as  follows: 


Definition:  Let  0  be  binding  set  over  a  semantic  modulation 
graph  S  such  that  there  are  no  /3-dependency-ioops.  For  each 
variable  node  n  let  the  0-depth  of  n  be  the  length  of  longest  0- 
dependency  path  ending  at  n. 

Observation:  If  0  is  a  binding  set  over  S  such  that  there  are  no 
/3-dependency-loops  and  n  is  a  /3-free  variable  node  in  S  then  all 
/3-supervariables  of  n  have  smaller  /3-depth  than  n. 
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The  recursive  conceptual  procedure  for  computing  targeted  assignments 
can  be  expressed  as  an  induction  proof  that  targeted  assignments  exist.  The 
proof  is  by  induction  on  the  /3-depth  of  variable  nodes. 


Lemma:  Let  3  be  a  be  a  binding  set  over  a  semantic  modulation 
graph  S  such  that  there  are  no  /3-dependency-loops  and  let  W 
be  a  satisfactory  semantics  for  S  such  that  /3-assignments  exist 
in  W.  Under  these  conditions  targeted  /3-assignments  also  exist 
in  W. 

Proof:  I  will  show  by  induction  on  the  depth  of  variable  nodes 
that  for  all  variable  nodes  n,  if  n  is  /3-free  then  targeted  assign 
ments  exist  for  n  in  W.  Every  variable  node  in  S  has  a  /3-depth 
of  at  least  1  (the  singleton  path  <n>  is  always  a  dependency 
path).  Suppose  that  n  has  depth  1.  In  this  case  there  are  no 
/3-supervariables  of  n  and  thus  any  assignment  of  n  to  c  satisfies 
the  definition  of  a  targeted  assignment.  Thus  if  n  is  /3-free  and 
has  depth  1  then  targeted  /3-assignments  exist  for  n  in  W.  Now 
suppose  that  n  is  a  variable  of  depth  k  where  k  is  greater  than  1 
and  targeted-/3-assignments  exist  in  W  for  all  /3-free  variables  of 
depth  less  than  k.  Now  suppose  that  n  is  /3-free  and  let  w  and 
w'  be  worlds  in  W  that  satisfy  /3.  Let  c  be  a  color  which  is  an 
instance  of  of  the  type  of  n  in  the  world  xv.  We  must  show  that 
W  contains  a  targeted-/3-assignment  of  n  to  c  in  w  with  target  w' . 
Since  /3-assignment  exist  in  W  there  exists  a  world  w[/3,  n  :=  c] 
in  VV  which  is  a  ^-assignment  of  n  to  c  in  w.  Let  nj,n2,. . .  n * 
be  the  immediate- /3-supervariables  of  n  and  let  cj,  c2, . . .  c*  be  the 
target  colors  for  n1,n2»  •  •  •  ra*,  be.  c,  is  the  color  of  ra,  in  the  target 
world  w\  Each  variable  n,  has  smaller  depth  than  n  so  by  the 
induction  hypothesis  targeted-/3-assignments  exist  in  W  for  each 
nt.  Let  u)0,  u?i,  u;2, . . .  wn  be  worlds  in  W  defined  as  follows:  wq 
equals  u>[/3,  n  :=  cj.  If  c,  is  an  instance  of  the  type  of  n,  in  the 
world  tyj-i  then  n>i  is  a  targeted-/3-assignment  u?,_i[/3,  rn  :=  c^]  of 
rii  to  Ci  in  w,-i  with  target  w'.  If  Ci  is  not  an  instance  of  ri;  in  the 
world  then  tv,  is  a  targeted-/3-assignment  w,_ j[/3,  n,  :=  £>,-] 
with  target  w'  where  6,  is  the  color  of  n,-  in  with  target  w' 


'JH  v  r.i“  w-  ^.-i r£  #  * 
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(this  targeted-/3-assignment  fixes  the  /3-supervariables  of  nt).  I 
will  now  show  that  Wk  is  the  desired  targeted- /3-assignment  of  n 
to  c  in  w  with  target  w'. 

Consider  an  arbitrary  /3-supervariable  n'  of  n  and  let  ct  be  the 
target  color  for  n\  i.e.  the  color  assigned  to  n'  by  the  target  world 
w' .  We  must  show  that  if  the  target  color  ct  is  an  instance  of  the 
type  of  n'  in  the  world  u>k  then  u;*  in  fact  assigns  n'  the  target 
color  ct.  So  suppose  that  ct  is  an  instance  of  the  type  of  n'  in  the 
world  Wk-  Now  there  are  two  cases.  The  variable  n!  is  either  an 
immediate- /3-supervariable  of  n  or  n'  is  a  /3-supervariable  of  some 
immediate- /3-supervariable  of  n. 

First  consider  the  case  where  n'  is  an  immediate- /3- supervariable 
rii  of  n  and  let  m,  be  the  type  node  of  rii.  The  type  node  m,-  must 
not  /3-depend  on  any  immediate-/3-supervariables  cf  n  and  thus 
for  all  0  <  j <  k  the  world  Wj  must  agree  with  Wk  on  the  type 
node  m,-.  In  particular  u><_i  must  agree  with  Wk  on  m,.  By  as¬ 
sumption  the  target  color  c,  is  a  member  of  the  type  of  n,  in  the 
world  Wk  and  so  ct  must  also  be  a  member  of  the  type  of  n,  in  the 
world  u?i_ i-  Thus  u;,-  is  a  target  assignment  tu,-_j[/3,  n,  :=  ct]  of  r, 
to  its  target  color  in  uj,_i  with  target  it/.  Thus  n,  is  assigned  the 
target  color  cf  in  the  world  Wi.  Furthermore  n<  does  not  ^-depend 
on  any  other  immediate  /3-supervariables  of  n  and  thus  u>k  must 
agree  with  u>,  on  n,  and  thus  Wk  must  assign  n,  the  target  color 
Cf 


Now  suppose  that  n'  is  a  /3-supervariable  of  one  or  more  of  the 
immediate-/3-supervariables  n}.  Let  rii  be  the  “last”  immediate- 
/3-supervariable  such  that  n'  /3-depends  on  rii,  he.  let  n*  be  the 
immediate-/3-supervariable  such  that  n'  /^-depends  on  n,-  and  n' 
does  not  /3-depend  on  any  immediate- /3-supervariable  n:  of  n  for 
j  >  i.  Let  m  be  the  type  node  of  n'.  Since  n'  does  not  /3-depend 
on  any  rij  for  j  >  i,  the  type  node  m  must  not  /3-depend  on  any 
Tij  for  j  >  i.  Thus  the  world  it?,-  defined  above  must  agree  with 
Wk  on  the  type  node  m.  By  assumption  the  target  color  ct  is 
an  instance  of  the  type  of  n1  in  the  world  Wk .  Thus  ct  must  be 
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an  instance  of  the  type  of  n'  in  the  world  to,-.  But  is  always 
a  targeted- ^-assignment  of  n,i  with  target  w'.  Furthermore  n'  j3- 
depends  on  «*.  Thus,  by  the  definition  of  a  targeted-;?- assignment 
and  the  fact  that  the  target  ct  is  an  instance  of  the  type  of  n'  in 
the  world  W{ ,  the  world  w;  must  assign  n'  the  target  color  c(.  But 
n'  does  not  /3-depend  on  any  nj  for  j  >  i  and  thus  the  worlds  w, 
and  Wk  must  agree  on  n' .  Thus  Wk  assigns  n'  the  target  color  ct. 


5.4  Focus,  Termination,  and  Order  Indepen¬ 
dence 

This  section  describes  a  relation  -*s?  which  is  similar  to  —*s  except  that 
binding  construction  is  guided  by  a  set  of  focus  objects.  The  relation  — 
is  fully  described  in  the  beginning  of  this  section;  section  5.4.1  can  be  safely 
ignored  by  readers  not  interested  in  correctness  proofs. 

The  semantic  modulation  inference  relation  —►$  generates  bindings  of 
the  form  n  *-*  r.  Unfortunately,  in  most  applications  there  is  a  very  large 
number  of  potential  bindings.  To  make  the  semantic  modulation  inference 
process  effective  one  must  select  useful  bindings.  In  the  Ontic  system  binding 
selection  is  guided  by  a  set  of  focus  nodes.  Given  a  set  T  of  focus  nodes  the 
Ontic  system  only  generates  bindings  of  the  form  nnr  where  r  is  a  member 

Focus  nodes  represent  objects  that  the  system  is  thinking  about.  Given  a 
set  of  focus  objects  the  system  uses  forward  chaining  to  generate  facts  about 
those  objects.  A  focus  object  is  often  a  variable  node.  For  example  the  user 
might  direct  the  system  to  consider  an  arbitrary  lattice.  When  this  is  done 
the  system  chooses  a  variable  node  n  whose  type  node  represents  the  class  of 
all  lattices.  The  variable  n  is  then  added  to  the  set  of  focus  objects.  While 
focusing  on  the  arbitrary  lattice  n  the  system  will  generate  facts  that  hold  for 
all  lattices.  In  order  to  ensure  that  the  facts  generated  about  a  focus  variable 
n  hold  for  all  instances  of  the  type  of  n  the  system  must  avoid  binding  n  to 
any  particular  object.  In  general  the  system  avoids  binding  variables  that 
are  depended  on  by  focus  objects;  binding  a  variable  depended  on  by  a  focus 
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object  can  change  the  meaning  of  the  focus  object. 

The  system  also  avoids  redundant  bindings.  Suppose  that  n  and  n'  are 
two  variables  that  have  the  same  type  node  m  and  suppose  that  m  is  a  £- 
established-type-node  for  r.  For  the  graphs  generated  by  the  Ontic  compiler 
there  is  no  point  in  binding  both  n  and  n'  to  r;  given  the  binding  n  i-+  r 
nothing  additional  will  be  learned  from  the  binding  n'  •-»  r. 

In  summary  the  Ontic  system  imposes  three  constraints  on  the  binding 
process:  variables  are  only  bound  to  focus  nodes,  the  system  does  not  bind 
variables  depended  on  by  focus  nodes,  and  the  system  does  not  generate 
redundant  bindings.  These  three  constraints  lead  to  the  following  definition 
of  the  inference  relation  — defined  relative  to  a  semantic  modulation 
graph  S  and  a  set  T  of  focus  objects. 


Definition:  Let  T  be  a  subset  of  the  nodes  in  a  semantic  mod¬ 
ulation  graph  S. 

Definit  ion:  Let  T  be  a  binding  labeling  of  a  semantic  modula¬ 
tion  graph  S  such  that  T  has  binding  set  0.  Let  T'  be  a  binding 
labeling  of  O  with  binding  set  ft' . 

We  write  T  T'  if  T  T  and  either  0'  equals  (3  or  the 
difference  between  0'  and  0  consists  of  a  single  binding  n  i— ►  r 
where  the  following  conditions  hold: 

•  r  is  an  element  of  T. 

•  No  member  of  T  (directly)  depends  on  n. 

•  0  contains  no  binding  n'  r  where  n'  has  the  same  type 
node  as  n. 

We  say  that  a  variable  node  n  in  S  is  IF -protected  if  some  focus 
node  in  T  depends  on  n.  We  say  that  an  arbitrary  node  r  is 
jF-protected  if  every  free  variable  of  r  is  ^-protected.  Clearly  the 
elements  of  T  are  ^"-protected. 
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If  0  is  a  binding  set  generated  by  the  relation  —*sr  and  if  p  is  a  node 
that  is  .^-protected  then  no  variable  depended  on  by  p  will  be  bound  under 
8.  One  effect  of  this  statement  is  that  if  p  is  ^"-protected,  8  is  a  binding 
set  generated  by  — ,  and  n  is  any  variable  node  then  p  /^-depends  on  n 
just  in  case  p  directly  depends  on  n.  Furthermore  all  members  of  the  focus 
set  T  are  ^"-protected  and  thus  in  the  second  restriction  on  bindings  in  the 
above  definition  it  doesn’t  matter  whether  one  uses  /3-dependence  or  direct 
dependence  —  the  two  notions  of  dependence  are  the  same  when  discussing 
the  dependence  of  ^"-protected  nodes. 

The  relation  —*s?  is  simply  a  restriction  of  the  relation  —*s  and  thus 
the  soundness  theorem  holds  for  —*sr  •  Furthermore  if  p  is  ^-protected  then 
no  variable  depended  on  by  p  will  be  bound  bv  the  inference  relation  —*sr  ■ 
More  specifically  we  have  the  following  special  case  of  the  soundness  theorem. 


— Soundness  Theorem:  Let  W  be  a  satisfactory  semantics 
for  a  semantic  modulation  graph  S.  Let  T  be  a  binding  labeling 
with  an  empty  binding  set  and  with  a  truth  and  color  labeling  £ 
such  that  every  world  in  W  satisfies  C.  Now  suppose  T  —+SF  mT' 
where  T'  has  binding  set  8  and  truth  and  color  labeling  £'.  If  p 
is  a  formula  node  that  is  j^-protected  and  p  is  labeled  true  under 
£'  then  p  must  be  labeled  true  in  all  worlds  in  W. 


5.4.1  Termination  and  Order  Independence 

This  section  proves  a  certain  Church- Rosser  property  for  relation  •  The 
relation  — >$  is  fully  specified  above  and  those  readers  not  interested  in  cor¬ 
rectness  proofs  can  safely  ignore  this  section. 

The  relation  — *sr  operates  on  binding  labelings  of  a  semantic  modulation 
graph  S.  Since  a  given  variable  can  only  be  bound  once,  and  partial  truth 
labelings  and  color  labelings  can  not  be  extended  indefinitely,  there  can  be 
no  infinite  reduction  chains  of  the  form 

'T\—*st  T 2  T 3  —>sr 
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Thus  the  relation  — is  well  founded. 

Let  S  be  a  semantic  modulation  graph,  let  T  an  initial  binding  labeling, 
let  F  be  a  focus  set  over  S,  and  let  p  be  a  formula  node  which  is  ^"-protected, 
i.e.  p  represents  some  statement  about  the  focus  objects.  The  inference 
relation  —>5^  can  be  used  in  an  attempt  to  prove  p  by  binding  variable 
nodes  to  focus  objects.  More  specifically  the  labeling  T  can  be  extended 
via  the  relation  — until  a  normal  form  is  found.  Let  T'  and  T"  be  two 
normal  forms  of  T  under  the  inference  relation  ■  Now  for  the  graphs 
generated  by  the  Ontic  compiler  either  T'  and  T"  are  both  inconsistent 
or  they  both  agree  on  p.  More  specifically,  the  compilation  of  individual 
variables  (which  compile  into  generic  individual  nodes)  and  closed  formulas 
(such  as  the  formulas  in  the  lemma  library)  results  in  a  homogeneous  graph 
as  described  below.  For  homogeneous  graphs  it  is  possible  to  prove  that  the 
normal  forms  T'  and  T"  are  equivalent  under  a  certain  equivalence  relation 
defined  below.  This  equivalence  relation  has  the  property  that  if  T‘  and  T" 
are  equivalent  then  either  they  both  exhibit  premature  termination  of  they 
must  agree  on  p.  A  binding  labeling  exhibits  premature  termination  if  it  is 
inconsistent  or  if  there  is  some  focus  object  r  and  a  /^-established- type- node 
m  for  r  but  there  are  no  variables  of  type  m  that  have  been  bound  to  r  and 
no  variables  of  type  m  available  for  binding  to  r.  In  other  words  a  binding 
labeling  exhibits  premature  termination  if  it  runs  out  of  variables  to  bind  to 
focus  nodes.  Because  the  Ontic  compiler  generates  variables  on  demand,  a 
binding  labeling  does  not  exhibit  premature  termination  in  practice  unless 
it  is  inconsistent.  Thus  if  T'  and  T"  are  both  normals  forms  of  T  under 
the  relation  ,  and  if  p  is  jF-protected,  they  either  T'  and  T"  are  both 
inconsistent  or  they  agree  on  p. 


Definition:  Let  T  be  a  binding  labeling  of  a  semantic  modula¬ 
tion  graph  S.  We  say  that  T  is  ^-inconsistent  if  the  labeling  of 
X  is  C-inconsistent  where  C  is  the  congruence  constraint  graph 
underlying  S. 

Let  F  be  a  subset  of  the  nodes  of  a  semantic  modulation  graph  S 
and  let  T  be  a  binding  labeling  of  5 with  truth  and  color  labeling 
C.  We  say  that  T  exhibits  premature  IF- termination  if  either  T 
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is  <S-inco^sistent  or  there  exists  a  focus  object  r  in  IF  and  a  re¬ 
established- type-node  m  for  r  such  that  there  is  no  binding  of 
the  form  n  *-►  r  in  the  binding  set  of  T  where  n  is  a  variable  of 
type  m  and  every  variable  of  type  m  is  either  r-protected  or  is 
already  bound  under  the  binding  set  of  T . 

The  equivalence  relations  defined  in  previous  sections  had  the  property 
that  any  two  inconsistent  labelings  were  equivalent.  The  equivalence  relation 
defined  below  has  the  property  that  any  two  binding  labelings  which  exhibit 
premature  termination  are  equivalent.  In  practice  the  Ontic  system  generates 
variables  on  demand  so  that  there  are  always  enough  variables  in  the  graph 
to  avoid  premature  termination  due  a  lack  of  variables.  Thus,  in  practice, 
premature  termination  always  involves  am  inconsistency.  If  T  is  ?  *  rmalized 
binding  labeling  with  truth  and  color  labeling  C  such  that  T  does  not  exhibit 
premature  termination  and  if  r  is  a  focus  object  and  m  is  a  £-established- 
type-node  for  r  then  some  variable  of  type  m  is  bound  to  r  under  the  binding 
set  of  T. 

The  graphs  geneiated  by  the  Ontic  compiler  are  homogeneous  in  the  sense 
that  if  n  and  n'  are  two  variables  with  the  same  type  node  then  n  and  tJ 
are  “identical”  as  nodes  in  the  graph.  More  specifically  if  n  and  n'  are  both 
variables  with  the  same  type  node  then  there  exists  a  symmetry  of  the  graph 
which  carries  n  to  n'.  A  symmetry  is  a  particular  way  that  an  object  is 
identical  to  itself.  For  example  a  square  is  identical  to  itself  when  rotated 
ninety  degrees.  The  formal  definition  of  symmetry  is  based  on  the  general 
notion  of  isomorphism.  Two  semantic  modulation  graphs  are  isomorphic  if 
there  is  a  bijection  between  there  nodes  which  carries  the  structure  of  one 
onto  the  structure  of  the  other.  A  symmetry  is  an. isomorphism  of  an  object 
with  itself,  e.g.  a  rotation  of  a  square  is  particular  way  that  the  square  is 
isomorphic  to  itself. 


To  precisely  define  the  notion  of  isomorphism  on~  needs  to  define  how  a 
map  carries  the  structure  of  a  graph.  More  specifically  consider  a  bijection  i 
which  maps  the  nodes  cf  c  semantic  modulation  graph  $  to  some  other  set 
of  nodes  J\f.  The  map  i  carries  the  graph  S  to  the  graph  i(S)  such  that  the 
nodes  of  t(5)  consist  of  the  elements  of  „V  and  the  classification  of  nodes  and 
the  links  of  t(«S)  are  defined  as  follows: 


V-  V-  ■  ■ 


-<*  ■-*  •*  j*  *  -*  •  *  -f  -» v  >  y  ^  .•  --f. >  W  v ~r  j-xvv'-fV  >\y.AAAA,AA>>.»V,.AA.-v 
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Definition:  Let  S  be  a  semantic  modulation  graph  and  let  t  be  a 
bijection  mapping  the  nodes  in  S  to  some  set.  The  map  i  carries 
the  graph  S  to  the  graph  i(<S)  where  the  graph  t(S)  is  defined  as 
follows: 


•  The  formula  nodes  of  :(5)  are  the  objects  of  the  form  i{n) 
where  n  is  a  formula  node  of  S.  The  quotation  nodes,  type 
nodes,  variable  nodes  and  unclassified  nodes  of  i(S)  are  de¬ 
fined  similarly. 

•  If  is  a  literal  over  the  formula  nodes  in  S  then  t(*P)  is 
defined  so  that  if  'll  is  the  node  n  then  t('l')  equals  t(n)  and 
if  it  is  the  literal  ->n  then  i($)  equals  -u(n).  The  clause 
links  of  i(S)  consist  of  all  clause  links  of  the  form 


where  S  contains  the  clause  link 


•  The  equality  links  of  i(S)  consist  of  all  links  of  the  form 

i(p )  tin)  =  t(m) 

where  S  contains  the  link 

p  <&>  n  =  m 

•  The  subexpression  links,  free  variable  links,  type  declara¬ 
tion  links,  type  formula  links,  and  subtype  links  in  i(S)  are 
defined  similarly. 


Now  consider  a  bijection  i  that  maps  the  nodes  of  a  graph  S  to  any  set. 
As  discussed  above  the  bijection  i  carries  the  structure  of  the  graph  S  over 
to  the  structure  of  a  new  graph  t(«S).  The  bijection  S  also  carries  binding 
labelings  of  S  over  to  binding  labelings  of  the  graph  t(S). 


i 
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Definition:  Let.  i  be  a  bijection  from  the  nodes  of  a  semantic 
modulation  graph  S  to  some  set. 

Let  £  be  a  truth  an  color  labeling  of  S.  The  labeling  i{C)  is  the 
truth  and  color  labeling  of  t(<5)  such  that  if  £  labels  p  true  then 
AC)  labels  zip'*  true  and  if  £  assigns  node  r  the  color  c  then  i(£) 
a-signs  i[r)  the  color  c. 

Let  3  be  a  binding  set  over  £.  The  bijection  t  carries  3  to  the 
binding  set  t(3)  over  the  graph  t{S)  where  l{3)  consists  of  all 
bindings  of  the  form  i(n)  >-*  i(r)  where  n  >— ►  r  is  a  binding  in  ft. 

Let  T  be  a  binding  labeling  of  5  with  binding  set  3  and  truth 
and  color  labeling  £.  The  mapping  l  carries  T  to  the  binding 
labeling  t(T)  with  binding  set  i(@)  and  truth  and  color  labeling 
*(£). 

For  any  bijection  i  from  the  nodes  of  a  semantic  modulation  graph  <Sto 
some  set,  the  grapn  i(S)  is  in  some  sense  identical  to  the  graph  S  even  though 
the  nodes  of  i(S)  may  be  different  from  the  nodes  of  5.  This  observation 
leads  to  the  notion  of  isomorphism. 

Definition:  Two  semantic  modulation  graphs  S  and  S'  are  iso¬ 
morphic  }ust  in  case  S'  can  be  written  as  i(S)  for  some  bijection 
i  between  the  nodes  of  S  and  the  nodes  of  S'.  A  map  t  which 
carries  S  to  S'  is  called  an  isomorphism  between  S  and  S'. 

The  notion  of  isomorphism  leads  to  a  notion  of  symmetry. 

Definition:  A  symmetry  of  a  semantic  constraint  graph  S  is  an 
isomorphism  of  S  with  itself,  i.e.  a  bijection  i  from  the  nodes  of 
S  to  themselves  such  that  l\S)  equals  S. 

As  mentioned  above  the  graphs  generated  by  compiling  individual  variables 
and  closed  formulas  are  highly  symmetrical.  More  specifically,  such  graphs 
are  homogeneous  in  the  following  sense. 
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Definition:  Two  variables  n  and  n'  in  a  semantic  modulation 
graph  S  will  be  called  S -identical  if  there  exists  a  symmetry  i  of 
$  which  exchanges  n  and  n'  and  which  is  the  identity  map  for  all 
nodes  r  which  do  not  depend  on  either  n  or  n', 

A  semantic  modulation  graph  5  is  called  homogeneous  if  any  two 
variables  with  the  same  type  node  are  iS-identical. 


If  variables  of  the  same  type  are  identical  then  it  shouldn’t  matter  which 
variable  is  bound  to  a  given  focus  object;  two  labelings  should  be  considered 
to  be  equivalent  if  the  only  difference  between  them  is  that  they  bind  different 
but  identical  variables  to  the  same  focus  object.  More  specifically  let  IF  be 
a  focus  set  over  a  semantic  modulation  graph  S  and  let  t  be  a  symmetry  of 
S  that  is  the  identity  function  on  all  ^"-protected  nodes.  The  symmetry  i 
exchanges  identical  variables  but  preserves  all  JF  protected  nodes.  If  T  is  a 
binding  labeling  of  S  then  the  binding  labeling  t(T)  should  be  equivalent  to 
T. 


Definition:  Let  F  be  focus  set  over  a  semantic  modulation  graph 
S. 

A  symmetry  i  of  5  is  called  IF -preserving  if  i  is  the  identity  func¬ 
tion  on  all  ^-protected  nodes  in  S. 

Two  binding  labelings  T  and  T'  of  S  are  called  immediately-S  - 
equivalent  if  they  have  the  same  binding  set,  they  assign  the  same 
truth  values  to  formula  nodes,  and  their  color  labelings  define  the 
same  equivalence  relation  on  nodes. 

Two  binding  labelings  T  and  T  of  S  are  called  S IF -equivalent  if 
either  both  T  and  T'  exhibit  premature  termination  or  there  ex¬ 
ists  a  ^-preserving  symmetry  i  of  S  such  that  l(T)  is  immedi&tely- 
5-equivalent  to  T'. 

It  is  possible  to  prove  that  satisfies  the  diamond  property  modulo 

S ^-equivalence  and  thus  —>sr  is  order  independent. 
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Normalization  Theorem:  I' 5  is  a  homogeneous  seman¬ 
tic  modulation  graph  and  T  is  a  focus  set  over  5  then  the  relation 
—*ST  is  a  terminating  normalizer  modulo  •SjF-equivalence. 

The  above  order  independence  result  implies  that  in  certain  easily  iden¬ 
tified  cases  the  answers  generated  by  the  the  Ontic  system  do  not  depend  on 
the  order  in  which  inference  operations  are  performed. 


Corollary:  Let  be  focus  set  >ver  a  homogeneous  semantic 
modulation  graph  S  let  p  be  a  jF-protected  formula  node,  and 
let  T  be  a  binding  labeling  of  5.  If  T'  and  T"  are  both  nor¬ 
malizations  of  T  under  —>s. T  then  either  both  T'  and  T"  exhibit 
premature  termination  or  T'  and  T"  agree  on  the  truth  of  p. 


5.5  Assumptions 


This  section  describes  an  inference  relation  —*sa  which  performs  inference 
in  the  presence  of  assumptions  (suppositions).  The  inference  relation  ~+sa 
is  fully  described  in  the  beginning  of  the  section.  The  relation  — +$FA  i  that 
incorporates  focus,  is  described  in  section  5.5.2.  Sections  5.5.1  and  5.5.3 
involve  soundness  and  unique  normalization  respectively  and  can  be  safely 
ignored  by  readers  not  interested  in  correctness  proofs. 

Recall  that  a  binding  labeling  T  for  S  is  W-valid  if  the  binding  set  of  T 
is  W-legal  and  the  binding  set  of  T  implies  the  truth  and  color  labeling  of 
T,  i.e.  every  world  in  W  that  satisfies  the  binding  set  of  T  also  satisfies  the 
truth  and  color  labeling  of  T.  If  W  is  a  satisfactory  semantics  for  the  graph 
S  then  the  relation  —*s  preserves  W-validity.  Unfortunately  the  notion  of 
W-validity  does  not  allow  for  assumptions.  An  assumption  is  a  statement 
that  is  true  in  some  worlds  but  not  others.  To  properly  handle  assumptions 
one  must  deal  with  labelings  that  are  not  W-valid. 


Definition:  Let  S  be  a  semantic  modulation  graph  and  let  W 


•5.5.  ASSUMPTIONS 


155 


sa 


be  a  satisfactory  semantics  for  S. 

An  assumption  set  over  S  is  a  subset  A  of  the  formula  nodes  in 
S.  If  w  is  a  world  in  W  then  we  say  that  w  satisfies  A  if  w  assigns 
every  formula  node  in  A  the  label  true. 


Assumptions  can  be  handled  by  an  inference  relation  —*sa  where  A  is 
an  assumption  set  over  S.  A  later  section  will  discuss  how  assumptions  can 
be  combined  with  focus  objects  to  yield  an  inference  relation  —*sfa  which 
is  a  controlled  restriction  of  the  relation  —*sa  defined  here.  However,  focus 
objects  are  ignored  in  the  remainder  of  this  section. 

The  labelings  manipulated  by  the  relation  —*sa  contain  information  that 
is  deduced  from  the  assumption  set  A.  The  assumptions  in  A  may  contain 
assumptions  abcut  the  types  of  objects.  Thus  a  certain  binding  may  be  type 
respecting  relative  under  the  assumptions  in  -4  even  if  that  binding  can  not 
be  proven  to  be  type  respecting  in  general.  Furthermore  the  assumptions  in 
A  place  restrictions  on  the  free  variables  of  the  assumptions;  it  may  not  be 
possible  to  assign  values  to  the  free  variables  of  assumption  without  making 
the  assumptions  false.  Thus  the  relation  —*sa  avoids  binding  variables  which 
are  depended  on  by  elements  of  the  assumption  set  A.  In  fact  the  only 
difference  between  the  relations  —*s  and  —*sa  is  that  ~>sa  avoids  binding 
variables  depended  on  by  the  assumptions  in  A. 


Definition:  Let  A  be  an  assumption  set  over  a  semantic  modu¬ 
lation  graph  S. 

If  ft  is  a  binding  set  over  S  then  a  variable  node  n  in  S  is  called 
Afi- free  if  n  is  /?-free,  i.e.  not  bound  under  /?,  and  no  assumption 
in  A  /3-depends  on  n. 

Let  T  and  T'  be  two  binding  labelings  of  S.  We  write  T  —* sa  T' 
if  T— *$  T'  and  either  T  and  T'  have  the  same  binding  set  or  the 
binding  sets  of  T'  contains  an  additional  binding  n  e-f  r  where  n 
is  ,4/3-free. 

The  restriction  on  bindings  given  in  the  above  definition  makes  it  possible  to 
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prove  a  soundness  theorem  for  the  relation  —*sa  ;  this  theorem  establishes 
that  — >5.4  can  be  used  to  find  logical  consequences  of  a  set  of  assumptions. 


—*5A  Soundness  Theorem:  Let  W  be  a  satisfactory  semantics 
for  a  semantic  modulation  graph  5  and  let  A  be  an  assumption 
set  over  S,  Let  T  be  a  binding  labeling  with  an  empty  binding  set 
and  such  that  every  world  in  W  that  satisfies  A  also  satisfies  the 
truth  and  color  labeling  of  T.  Now  suppose  T  —>5^  *  T'  where 
T'  has  binding  set  0.  If  p  is  a  formula  node  such  that  p  is  labeled 
true  under  T'  and  no  variable  depended  on  by  p  is  bound  under 
0  then  p  must  be  labeled  true  in  all  worlds  in  W  that  satisfy  A. 

Intuitively,  the  assumption  soundness  theorem  holds  because  assumptions 
do  not  constrain  variables  not  depended  on  by  the  assumptions;  variables  not 
depended  on  by  assumptions  are  still  free  to  range  over  their  types  and  such 
a  variable  can  be  assigned  to  any  object  that  is  known  to  be  an  instance  of 
its  type.  These  intuitive  comments  are  made  more  precise  below. 

5.5.1  Proof  of  the  —>sa  Soundness  Theorem 

Like  the  semantic  modulation  soundness  theorem,  the  assumption  soundness 
theorem  is  proven  by  showing  that  the  relation  -+5^  preserves  a  certain 
property  of  binding  labelings.  More  specifically  the  relation  — preserves 
>lW-validity  where  a  binding  labeling  is  ,4W-valid  just  in  case  its  binding 
set  is  >tW-legal  and  its  bindings  together  with  the  assumptions  in  A  imply 
its  truth  and  color  labeling.  The  notion  of  an  ,4VV-legal  binding  context  is 
similar  to  the  notion  of  a  W-legal  binding  context  except  that  the  concepts 
involved  are  relativized  in  some  way  to  the  assumption  set  A. 

An  A  W-legal  binding  set  need  not  be  W-legal;  the  legality  of  bindings  in 
an  ,4W-legal  binding  set  may  depend  on  assumptions  in  A.  More  specifically, 
an  ,4W-legal  binding  set  need  not  be  W-universally-satisfiable;  if  0  is  AW- 
legal,  and  w  is  a  world  in  W  such  that  w  does  not  satisfy  A,  then  W  need 
not  contain  a  world  w[0]  that  satisfies  0  and  agrees  with  w  on  all  nodes 


that  do  not  depend  on  variables  bound  under  ft.  In  defining  the  ,4W-legal 
binding  sets  the  notion  of  VV-universal-satisfiability  is  replaced  by  the  notion 
of  ,4  W  -  u  n  i  vers al  -  sat  i  s fi  ab i  1  i  t y . 


Definition:  Let  VV  be  a  satisfactory  semantics  for  a  semantic 
modulation  graph  S ,  let  A  be  an  assumption  set  over  <S,  and  let 
ft  be  a  binding  set  over  S.  The  binding  set  ft  is  AW -univr.rsally- 
snfisjiablc  if  for  every  world  w  in  W  cm  siidi  that  tv  satisfies  A 
the  semantics  W  contains  a  world  u>[/3]  such  that  w[ft\  satisfies 
ft  and  agrees  with  w  on  all  nodes  that  do  not  depend  on  any 
variable  bound  under  ft. 


The  following  lemma  states  that  if  ft  is  ^-protecting  in  the  sense  defined 
below  then  /3-assignrnents  to  Aft-ivce  variables  always  preserve  the  truth  of 
the  assumptions  in  A.  Recall  that  a  variable  n  is  Af 3-free  just  in  case  n  is 
,/3-free  and  no  assumption  in  A  /3-depends  on  n. 


Definition:  Let  A  be  an  assumption  set  over  a  semantic  modu¬ 
lation  graph  S,  let  W  be  a  satisfactory  semantics  for  S ,  and  let 
ft  be  a  binding  set  over  5. 

The  binding  set  ft  is  called  ^4-protecting  if  no  variable  depended 
on  by  an  element  of  A  is  bound  under  ft. 

Lemma:  If  ft  is  ,4-protecting,  w  is  a  world  in  W  that  satisfies  A, 
n  is  an  Aft- free  variable  node,  and  c  is  an  instance  of  the  type  of 
n  in  a  world  w  then  any  /3-assignments  of  n  to  c.  in  w  also  satisfies 

A. 

Proof:  Since  n  is  Aft- free  no  assumption  in  A  (directly)  de¬ 
pends  on  n.  Furthermore,  I  will  show  that  no  assumption  in  A 
/3-depends  on  n.  More  specifically,  suppose  that  there  existed  a 
/3-dependency- path  from  and  assumption  p  in  A  to  the  variable 
n.  Since  p  does  not  directly  depend  on  n  this  path  must  involve 
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some  variable  bound  under  //.  Thus  there  must  be  a  direct,  de¬ 
pendency  path  from  p  to  some  variable  bound  under  //.  Hut  this 
is  impossible  because  ft  is  assumed  to  be  .4- protecting.  Tims  no 
assumption  in  A  //-depends  on  n.  Thus  if  w[3*  n  :=  r\  is  a  //- 
assigninent.  of  u  to  c  in  w  tlien  in  and  u .>[//,  «  :=  r]  must,  agree  on 
all  elements  of  A.  Hv  assumption  w  satisfies  A  so  ie[//,  n  :=  c] 
also  satisfies  A. 


An  .4VV-legal  binding  set  3  need  not  have  the  property  that  //-assignments 
exist  in  W.  More  specifically  the  existence  of  //-assignments  may  depend  on 
the  assumptions  in  A  and  thus  if  to  is  a  world  that  does  not  satisfy  A  there 
may  be  a  variable  node  n  and  an  instance  c  of  the  type  of  n  such  that.  W  does 
not  contain  a  //-assignment  of  n  to  c  in  w.  When  dealing  with  assumptions 
the  requirement  that  /3-assignments  exist  must  be  restricted  to  those  worlds 
which  satisfy  the  assumption  set. 


Definition:  We  say  that  3 -assignments  exist  in  VV  under  A  if  for 
every  world  uj  in  W  that  satisfies  both  3  and  A ,  every  A  ft- (me 
variable  node  n  in  <5,  and  every  instance  c  of  the  type  of  n  in 
world  to,  the  semantics  W  contains  a  //-assignment  of  n  to  c  in 


It  is  now  possible  to  define  the  w4VV-legal  binding  sets. 


Definition:  Let  W  be  a  satisfactory  semantics  for  a  semantic 
modulation  graph  «S,  let  A  be  an  assumption  set  over  <9,  and  let 
3  be  a  binding  set  over  <9.  We  say  that  the  binding  set  3  is  AW- 
legal  if  there  are  no  //-dependency  loops,  3  is  .4VV- universally  - 
satisfiable,  3  is  ^-protecting,  and  //-assignments  exist  in  W  under 

A. 


If  3  is  the  empty  binding  set  then  there  are  no  //-dependency- loops;  ft 
is  clearly  ,4W-universaily-satisfiable;  and  ft  is  ^-protecting.  Furthermore  if 
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(3  is  empty  then  ^-assignments  exist  in  all  worlds  in  W.  Thus  the  empty 
binding  set  is  ,4W-legal. 

The  notion  of  an  *4VV-iegal  binding  context  leads  to  the  notion  of  an 
>lW-valid  binding  labeling.  A  binding  labeling  T  is  -4W-valid  if  its  binding 
set  is  .4W-legal  and  its  truth  and  color  labeling  is  implied  by  its  binding  set 
and  the  assumptions  in  A. 


Definition:  Let  W  be  a  satisfactory  semantics  for  a  semantic 
modulation  graph  S  and  let  A  be  an  assumption  set  over  S.  A 
binding  labeling  T  is  called  AW-valid  if  the  binding  set  of  T  is 
,4.W-legal  and  every  world  in  W  which  satisfies  both  A  and  the 
binding  set  of  T  also  satisfies  the  truth  and  color  labeling  of  T. 


It  is  now  possible  to  state  the  main  theorem  of  this  section:  the  relation 
—*SA  preserves  >!W-validity. 


— Preservation  Theorem:  Let  W  be  a  satisfactory  seman¬ 
tics  for  a  semantic  modulation  graph  S  and  let  A  be  an  as¬ 
sumption  set  for  S.  If  T  is  an  ,4W-vaIid  binding  labeling  and 
T —*sa  T',  then  T'  is  also  ,4W-valid. 


The  proof  of  the  — preservation  theorem  is  essentially  the  same  as 
the  proof  of  the  — preservation  theorem  given  earlier;  the  proof  will  not 
be  given  here.  It  is  important  to  note  however  that  the  restriction  on  bind¬ 
ings  stated  in  the  definition  of  —>sa  is  essential  for  the  -+sa  preservation 
theorem.  More  specifically  suppose  0  contained  a  binding  of  the  form  n  r 
where  some  assumption  in  A  depends  on  n.  In  this  case  the  binding  n  y-*  r 
may  violate  the  assumptions  in  A\  the  binding  may  not  be  satisfiable  by  any 
world  that  satisfies  A. 


5.5.2  Combining  Assumptions  and  Focus  Objects 


Focus  objects  guide  the  choice  of  bindings  generated  in  the  Ontic  system. 
It  is  easy  t.o  combine  focus  and  assumptions.  More  specilically  the  relation 
can  be  defined  as  follows: 

Definition:  If  T  and  T'  are  two  binding  labelings  of  a  semantic 
modulation  graph  S  then  we  write  T  —>sta  T '  if  T  ~*sa  T  and 
T  —>sr  T. 

The  above  definition  implies  that  the  relation  —tsrA  's  a  restriction  of 
the  relation  —> >sa  .  More  specifically  —*sFA  is  that  restriction  of  —>sa  which 
only  generates  bindings  n  r  where  r  is  a  member  of  the  focus  set  J-,  no 
other  variable  with  the  same  type  node  as  n  lias  already  been  bound  to  r, 
and  no  member  of  the  focus  set  depends  on  n.  Since  —^ssa  is  a  restriction 
of  —*sa  it  preserves  ,4VV-validity. 

5.5.3  Termination  and  Order  Independence 

Since  each  variable  can  be  bound  at  most  once,  and  since  truth  and  color 
labelings  can  not  be  extended  indefinitely,  all  of  the  inference  relations  dis¬ 
cussed  so  far  are  well  founded;  there  are  no  infinite  inference  chains. 

Furthermore  it  can  he  shown  that  the  ability  of  the  relation  — *sta  to 
prove  a  given  result  does  not  depend  on  the  order  in  which  inferences  are 
performed.  More  specifically,  let  5  be  a  semantic  modulation  graph;  let  T 
be  a  focus  set  over  <S,  and  let  p  be  a  formula  node  which  is  ^"-protected, 
i.e.  p  represents  some  statement  about  the  focus  objects;  and  let  A  be  an 
assumption  set  over  S.  The  relation  —*sfa  can  be  used  in  an  attempt  to 
prove  that  p  follows  from  the  assumptions  in  A.  More  specifically  let  T  an 
initial  binding  labeling  such  that  the  labeling  of  T  satisfies  A  and  let  T' 
and  T"  be  two  normal  forms  of  T  under  the  inference  relation  — >sfa  ■  It 
turns  out  that  the  relation  —*sta  is  order  independent  in  the  sense  that,  for 
the  graphs  generated  by  compiling  individual  variables  and  closed  formulas, 
either  T'  and  T"  are  both  inconsistent  or  they  both  agree  on  p. 
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The  proof  of  the  order  independence  result  for  the  relation  —*sjfa  is  very 
similar  to  the  proof  of  the  order  independence  result  for  — *sr  ■  In  fact  the 
only  difference  between  these  two  proofs  involves  the  notion  of  premature 
termination.  It  is  possible  that  a  binding  labeling  T'  is  normalized  under 
— * st a  even  though  it  could  be  reduced  further  under  •  More  specifi¬ 
cally,  a  variable  might  be  3- free  and  thus  available  for  binding  under  — ►sjr 
but  not  A3- free  and  thus  not  available  for  binding  under  —+s?A  ■  ln  fact 
it  is  possible  that  T'  exhibits  premature  termination  with  respect  to  the  re¬ 
lation  — *sfa.  even  though  it  does  not  exhibit  premature  termination  with 
respect  to  the  relation  •  A  binding  labeling  T  exhibits  premature  AT- 
termination  just  in  case  the  truth  and  color  labeling  of  T  is  inconsistent  or 
there  are  not  enough  variables  of  the  appropriate  types  available  for  binding 
to  the  focus  objects  (the  precise  definition  should  be  clear  and  is  not  given 
here). 

The  —*Sta  normalization  theorem  is  stated  in  terms  of  a  certain  equiv¬ 
alence  relation  on  labelings.  The  notion  of  ATuS’-equivalence  can  be  defined 
as  follows: 


Definition:  Let  T  be  a  focus  set  over  a  semantic  modulation 
graph  S  and  let  A  be  an  assumption  set  over  S. 

A  node  r  is  called  AT -protected  if  every  variable  depended  on  by 
r  is  also  depended  on  by  some  element  of  T  or  A.  (If  r  is  AT- 
protected  then  no  binding  generated  by  —*sfa  binds  a  variable 
depended  on  by  r.) 

A  symmetry  c  of  S  is  called  AT  -preserving  if  i  is  the  identity 
function  on  all  AT- protected  nodes. 

Two  binding  labelings  T  and  T'  of  S  are  called  AS  T -equivalent 
if  either  both  T  and  T  exhibit  premature  AT7- termination  or 
there  exists  an  AF-preserving  symmetry  i  of  S  such  that  l(T)  is 
iminediately-5-equi valent  to  T'. 


Now  it  is  possible  to  prove  that  if  S  is  homogeneous  then  — ^ >s?a  satisfies 
the  diamond  property  modulo  A^\S-equivaIence.  Thus  —*sfa  is  a  terminat- 
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ing  normalizer  relative  to  XF«S-equivalence.  Furthermore  if  T  and  T  are 
*4jF,?-equivalent  and  p  is  an  protected  formula  node  then  either  T  and 
T'  both  exhibit  premature  termination  or  they  both  agree  or.  the  truth  of  p. 
Thus  the  ability  of  the  system  to  determine  the  truth  of  an  XT-protected 
formula  does  not  depend  on  the  order  in  which  reductions  are  done. 


5.6  Automatic  Universal  Generalization 

This  section  describes  an  inference  relation  — which  performs  automatic 
universal  generalization.  The  inference  relation  — is  fully  described  in  the 
beginning  of  the  section  and  sections  5.6.1  can  safely  be  ignored  by  read¬ 
ers  not  interested  in  correctness  proofs.  Section  5.6.2  describes  the  relation 
—+CA  which  is  similar  to  except  that  it  handles  a  set  of  assumptions 
(suppositions).  Section  5.6.3  discusses  semantic  soundness  and  can  be  safely 
ignored  by  readers  not  interested  in  correctness  proofs.  The  relations  —>q 
and  are  not  guided  by  focus  objects;  section  5.6.4  describes  a  relation 

that  is  guided  by  focus  objects. 

Universal  generalization  is  a  method  for  deducing  formulas  of  the  form 

(FGRALL  ((X  r)) 

More  specifically,  suppose  that  a  variable  X  of  type  r  appears  free  in  the 
formula  4>  and  that  4>  has  been  proven  using  only  the  fact  that  X  is  an  instance 
of  the  type  r.  In  this  case  $  must  be  true  no  matter  how  one  interprets  X  as 
an  instance  of  r  and  thus  one  can  infer  that  the  above  universal  formula  is 
true. 

In  the  Ontic  system  the  formula 

(FORALL  ((X  r))  $) 

abbreviates  the  formula 

(NOT 

(EXISTS-SOME 
(LAMBDA  ((X  t)) 

(NOT  $)))) 
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LAMBDA  is  the  only  true  quantifier  in  the  Ontic  system;  classical  quantification 
is  handled  with  the  quantifier  LAMBDA  and  formulas  of  the  form 

(EXISTS-SDME  <r) 

where  a  is  a  type  expression.  In  order  to  implement  universal  general¬ 
ization  as  a  graph  labeling  inference  mechanism  two  additional  kinds  of 
links  are  needed  corresponding  to  the  quantifier  LAMBDA  and  the  operator 
EXISTS-SOME. 


Definition:  An  Ontic  graph  Q  consists  of  a  semantic  modulation 
graph  together  with 

•  a  set  of  existential  links  of  the  form 

p  <=>  3m 

where  p  is  a  formula  node  and  m  is  a  type  node.  Such  a  link 
says  that  p  represents  the  formula  which  says  that  there  exist 
instances  of  the  type  m. 

•  a  set  of  closure  links  of  the  form 

An.p  =  m 

where  n  is  a  variable  node,  p  is  a  formula  node  such  that 
no  free  variable  of  p  other  than  n  depends  on  n,  and  m  is 
a  type  node.  Such  a  link  says  that  m  represents  the  type 
whose  instances  are  the  values  of  the  variable  n  which  satisfy 
the  formula  represented  by  p. 

If  S  is  the  semantic  modulation  graph  derived  by  deleting  all 
existential  links  and  closure  links  from  an  Ontic  graph  Q  then  S 
is  called  the  semantic  modulation  graph  underlying  Q. 

Let  Q  be  an  Ontic  graph  and  let  S  be  the  underlying  semantic 
modulation  graph.  A  labeling  of  Q  is  simply  a  labeling  of  S;  a 
binding  set  over  Q  is  a  binding  set  over  5;  and  a  binding  labeling 
of  Q  is  a  binding  labeling  of  S. 
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Universal  generalization  can  be  done  whenever  a  fact  has  been  proven 
about  a  variable  n  and  no  assumptions  have  been  made  about  n  other  than 
that  it  is  an  instance  of  its  own  type  node.  The  following  definitions  identify 
those  variable  nodes  n  such  that  "no  assumptions  have  been  made  about  n‘\ 
These  definitions  have  been  carefully  designed  to  maximize  the  deductive 
power  of  automatic  universal  generalization  while  still  ensuring  the  soundness 
of  universal  generalization  inferences. 


Definition:  Let  T  be  a  binding  labeling  of  an  Ontic  graph  Q .  let 
3  be  the  binding  set  of  T,  and  let  n  be  a  variable  node  of  Q . 

We  say  that  two  type  nodes  m  and  m'  are  known  to  be  equal  under 
T  if  the  labeling  of  T  assigns  m  and  m'  the  same  color  label. 

We  say  that  n  is  T -free  if  either  n  is  /3-free  or  n  is  bound  under 
3  with  a  binding  n  *-»•  n'  where  n'  is  a  /?-free  variable  node  such 
that  the  type  node  of  n'  is  known  to  be  equal  to  the  type  node  of 
n  under  T. 

If  n  is  T -free  then  the  T -freedom-source  for  n  is  defined  as  follows; 
If  n  is  3- free  then  the  T -freedom- source  for  n  is  n  itself.  If  n  is 
T-free  and  the  binding  set  of  T  contains  a  binding  of  the  form 
n  <—>  n'  then  the  T-freedom-source  for  n  is  the  variable  node  n' . 


There  are  two  forms  of  universal  generalization  used  in  the  Ontic  system: 
formula  generalization  and  established  type  generalization.  Formula  gener¬ 
alization  generalizes  the  truth  of  a  formula  node.  Consider  a  formula  node 
p  and  a  variable  node  n  such  that  n  is  a  free  variable  of  p.  Now  suppose 
that  p  has  been  proven  to  be  faise  without  using  any  assumptions  about  the 
particular  value  for  n.  In  this  case  one  can  deduce  that  the  type  An.p  is 
empty;  there  is  no  interpretation  of  n  that  makes  p  true.  If  the  type  An.p  is 
empty  then  it  may  be  possible  to  determine  that  a  certain  existential  formula 
node  is  false.  A  universal  formula  is  always  represented  as  the  negation  of 
an  existential  formulas  so  formula  generalization  can  result  in  assigning  a 
universal  formal  the  label  true. 
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Established  type  generalization  is  a  form  of  universal  generalization  that 
involves  subtype  links  If  9  contains  a  subtype  link  p  -w-  m  <  m'  then 
the  formula  node  p  represents  the  statement  that  every  instance  of  the  type 
m  is  an  instance  of  the  type  m'.  Thus  p  represents  a  universally  quantified 
statement:  a  statement  chat  quantifies  over  all  instances  of  the  type  m.  Now 
suppose  that  n  is  a  variable  with  type  node  m  and  that  m'  is  an  established 
type  for  n  where  no  assumptions  have  been  made  about  n.  In  this  case  one 
can  deduce  that  every  instance  of  m  is  also  am  instance  of  m'  so  the  formula 
p  which  represents  the  subtype  relation  must  be  true. 

In  addition  to  the  two  kinds  of  universal  generalization  Ontic  graphs 
are  associated  with  existential  generalization  inferences.  If  an  Cntic  graph  Q 
contains  an  existential  link  p  3m  then  the  node  p  represents  the  statement 
that  there  exist  instance  of  the  type  m.  Now  if  there  exists  a  node  r  such 
that  m  is  an  established  type  node  for  r  then  one  can  infer  that  instances  of 
m  exist  and  therefore  that  p  must  be  true. 


Definition:  Let  9  be  an  Ontic  graph.  Let  T  be  a  binding  labeling 
of  9  with  binding  set  ,3  and  truth  and  color  labeling  C. 

We  say  that  a  formula  node  q  can  be  proven  false  by  T Q -formula- 
generalization  over  a  variable  node  n  just  in  case  9  contains  a 
closure  link  A  n.p  =  m  such  that  £  assigns  p  the  label  false,  n  is 
T-free  with  freedom  source  n',  no  free  variable  of  p  other  than  n 
/^-depends  on  n',  and  9  contains  the  existential  link  q  ^  3m. 

We  say  that  ?,  formula  node  p  can  be  proven  true  by  T9 -type- 
establishment- generalization  over  a  variable  node  n  just  in  case  Q 
contains  a  subtype  link  p  m  -<  m'  such  that  m  is  the  type 
node  for  n,  m!  is  a  £  (^'-established  type  node  for  n,  n  is  T-free 
with  freedom  source  n'  and  m'  does  not  ^-depend  on  n' . 

We  say  that  a  formula  node  p  can  be  proven  true  by  T Q -existential- 
generalization  A  Q  contains  an  existential  link  p  3m  such  that 
there  exists  a  i  ie  r  in  9  such  that  m  is  a  £-established-type- 
node  for  r. 
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Under  certain  binding  labelings  it  is  possible  to  prove  that  a  certain  for¬ 
mula  node  is  true  even  though  that  node  has  already  been  assigned  the  label 
false.  Binding  labelings  with  this  property  are  inconsistent. 


Definition:  Let  Q  be  an  Ontic  graph  and  let  T  be  a  binding 
labeling  of  Q.  We  say  that  T  is  (/-inconsistent  if  any  of  the 
following  conditions  hold: 

•  The  color  and  truth  labeling  of  Tis  C-inconsistent  where  C 
is  the  congruence  constraint  graph  underlying  Q . 

•  There  exists  a  formula  node  p  which  can  be  proven  false  ”ia 
T (7-formula-generalization  but  p  is  labeled  true  under  T. 

•  There  exists  a  formula  node  p  which  can  be  proven  true  via 
either  T (7-established-type-generalization  or  T ^-existential- 
generalization  but  p  is  labeled  false  under  T. 

Given  a  definition  of  the  kinds  of  inferences  that  are  associated  with  Ontic 
graphs  and  the  notion  of  (/-inconsistency  we  can  now  define  the  relation  . 


Definition:  Let  Q  be  an  Ontic  graph  and  let  T  and  T'  be  binding 
labelings  of  Q.  We  write  T  T'  if  either  T  —*s  where  S  is  the 
semantic  modulation  graph  underlying  Q  or  else  T  is  (/-consistent, 
the  binding  set  of  T'  equals  the  binding  set  of  T,  and  one  of  the 
following  conditions  holds: 

•  There  exists  a  formula  node  p  that  can  be  proven  false  via 
TC/-formula-gen’ializatioi;  and  the  truth  and  color  labeling 
of  T'  is  the  result  of  assigning  p  the  label  false  in  the  truth 
and  color  labeling  ,'f  T. 

•  There  exists  a  formula  node  p  that  can  be  proven  true  via 
either  T (/-established-type-generalization  or  QT -existential- 
generalization  and  the  tmth  and  color  labeling  of  T'  is  the 
result  of  assigning  p  the  label  true  in  the  truth  and  color 
labeling  of  T. 
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5.6.1  Semantic  Soundness 


The  semantics  of  full  Ontic  graphs  is  very  similar  to  that  of  semantic  mod¬ 
ulation  graphs.  However  the  semantics  of  full  Ontic  graphs  must  properly 
account  for  the  meaning  of  closure  and  existential  links.  The  precise  semantic 
meaning  of  closure  and  existential  links  is  captured  in  the  following  definition 
of  a  satisfactory  semantics  for  an  Ontic  graph. 


Definition:  A  satisfactory  semantics  for  an  Ontic  graph  Q  is 
a  satisfactory  semantics  W  for  the  semantic  modulation  graph 
underlying  Q  such  that  the  following  conditions  hold. 

•  If  p  <$■  3m  is  an  existential  link  in  Q  and  w  is  a  world  in  W 
then  w  assigns  p  the  label  true  just  in  case  there  exists  a 
color  c  which  is  an  instance  of  m  in  the  world  tv. 

•  If  \n.p  ~  m  is  a  closure  link  in  Q  and  let  u;  be  a  world  in 
W  then  a  color  c  is  an  instance  of  m  in  w  just  in  case  c  is 
an  instance  of  the  type  of  n  in  w  such  that  if  tn[n  :=  c]  is  an 
assignment  of  n  to  c  in  w  then  w[n  :=  c]  assigns  p  the  label 
true. 


The  formal  language  Ontic  has  an  intended  semantics  which  can  be  de¬ 
fined  relative  to  a  fixed  universe  of  mathematical  objects  ( a  fixed  model  of 
ZFC  set  theory).  The  meaning,  or  denotation,  of  an  Ontir  xpression  can  be 
defined  relative  to  a  type  respecting  variable  interpretation;  a  given  interpre¬ 
tation  of  Ontic  variables  as  mathematical  objects  yields  an  interpretation  for 
every  Ontic  expression.  In  the  graph  produced  by  the  Ontic  compiler  each 
node  is  associated  with  an  Ontic  expression.  Since  a  type-respecting  inter¬ 
pretation  of  Ontic  variables  assigns  a  meaning  to  every  expression,  such  a 
variable  interpretation  can  be  used  to  assign  labels  to  the  nodes  in  the  graph 
produced  by  the  Ontic  compiler.  Thus  each  variable  interpretation  yields  a 
world  and  the  set  of  all  such  variable  interpretation  yields  a  set  of  worlds,  i.e. 
a  semantics.  The  intended  semantics  for  the  graphs  produced  by  the  Ontic 
compiler  is  a  satisfactory  semantics  in  the  technical  sense  defined  above. 


16S 


CHAPTER  5.  INFERENCE  WITH  QUANTIFIERS 


The  semantic  soundness  theorem  for  Ontic  graphs  is  analogous  to  the  seman¬ 
tic  soundness  theorem  for  semantic  modulation  graphs. 


—*g  Soundness  Theorem:  Let  W  be  a  satisfactory  semantics 
for  an  Ontic  graph  Q.  Let  T  be  a  binding  labeling  of  Q  with  an 
empty  binding  set  and  with  a  labeling  C  such  that  every  world 
in  VV'  satisfies  C.  Now  suppose  T  — >g  *  T  where  T'  has  binding 
set  0  and  labeling  C! .  If  p  is  a  formula  node  that  is  labeled  true 
under  C'  and  such  that  p  does  not  depend  on  any  variable  bound 
under  .3  then  p  must  be  labeled  true  in  all  worlds  in  W. 


The  —ig  soundness  theorem  implies  that  universal  and  existential  gener¬ 
alization  as  allowed  under  —*g  are  semantically  sound  inference  techniques. 
As  was  the  case  for  — ,  the  —*g  soundness  theorem  is  proven  by  showing 
that  —*g  preserves  W-validity.  Recall  that  a  binding  labeling  T  is  W-valid 
if  its  binding  set  is  W-legal  and  every  world  in  w  that  satisfies  the  binding 
set  of  T  also  satisfies  the  truth  and  color  labeling  of  T.  Both  the  notion 
of  a  W-legal  binding  set  and  the  notion  of  a  W-valid  binding  labeling  are 
defined  purely  in  terms  of  the  semantics  W;  these  notions  do  not  depend  on 
graph  structure  and  do  not  need  to  be  redefined  here.  The  proof  of  the  —*g 
preservation  theorem  uses  the  following  lemma: 


Freedom  Source  Lemma:  Let  W  be  a  satisfactory  semantics 
for  a  semantic  modulation  graph  Q.  Let  T  be  a  W-valid  binding 
labeling  of  Q  with  binding  set  0  and  truth  and  color  labeling  C. 
Let  n  be  a  T-free  variable  node  with  freedom  source  n' .  Let  w  be 
a  world  in  W  that  satisfies  0.  If  c  is  an  instance  of  the  type  of  n 
in  xv  then  the  semantics  W  contains  a  /3-assignment  xv[0,  n'  \  —  c] 
of  n'  to  c  in  w  and  for  any  such  /3-assignment  assigns  n  the  color 
c. 

proof:  Since  n'  is  the  freedom  source  for  n  then  either  n'  is  the 
same  node  as  n  or  else  0  contains  the  binding  n  t— *  n'  and  £ 
assigns  the  same  color  labels  to  the  type  nodes  of  n  and  n' .  In 
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either  case  n'  is  /3-free;  any  world  which  satisfies  0  assign  n  and 
n'  the  same  color  label;  and  any  world  which  satisfies  C  assigns 
the  type  nodes  for  n  and  n'  the  same  color  label. 

Since  w  satisfies  0  and  T  is  W-valid,  w  must  satisfy  £  and 
thus  w  must  assign  the  type  nodes  for  n  and  n'  the  same  color 
label.  Thus  c  is  an  instance  of  the  type  of  n'  in  w.  Thus,  since  0  is 
VV-  'al  and  n'  is  /3-free,  the  semantics  W  contains  a  /3-assignment 
w[0,  n'  c]  of  n'  to  c  in  w.  Furthermore  ro[/3,  n'  :=  c]  satisfies 
3  and  assigns  n'  the  color  c  so  w[0,  n'  :=  c]  must  also  assign  n 
the  color  c. 


Preservation  Theorem:  Let  W  be  a  satisfactory  seman¬ 
tics  for  an  Ontic  graph  Q .  Let  T  and  T'  be  binding  labelings  for 
Q.  If  T  is  W-valid  and  T— X'  then  T'  is  W-valid. 

Proof:  Suppose  that  T  is  W-valid  and  that  T—*<;  T' .  Either 
T— >s  T'  where  S  is  the  semantic  modulation  graph  underlying 
Q  or  else  T#  is  derived  from  T  by  universal  or  existential  gener¬ 
alization.  If  T  — *$  T'  then  the  —*$  preservation  theorem  implies 
that  T'  is  W-valid.  Now  suppose  T  is  derived  from  T  by  either 
universal  or  existential  generalization.  In  this  case  the  bindirg 
set  of  T'  equals  the  binding  set  of  X;  let  0  be  this  binding  set. 
By  assumption  T  is  W-valid  and  thus  0  is  W-legal.  It  remains 
only  to  show  that  every  world  in  W  which  satisfies  0  also  satisfies 
the  truth  and  color  labeling  of  TL  Let  £  be  the  truth  and  color 
labeling  of  T  and  let  £'  be  the  truth  and  color  labeling  of  T'. 
Consider  a  world  w  in  W  which  satisfies  0.  Since  T  is  W-valid, 
w  satisfies  £.  Now  there  are  three  cases. 

First  suppose  that  there  exists  a  formula  a  which  can  be 
proven  false  via  T^-formula-generalization  over  a  variable  node 
n  and  that  £  is  derived  from  £  assigning  q  the  label  false.  In 
this  case  there  exists  a  closure  link  Xn.p  =  m  and  an  existential 
link  q  O’  3m  such  that  £  labels  p  false,  n  is  T-free  with  freedom 
source  n',  and  no  free  variables  of  p  other  than  n  0-depend  on  n' . 
To  show  that  X'  is  W-valid  let  w  be  any  world  in  W  that  satisfies 
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3'.  We  must  show  that  xv  satisfies  C‘ .  Since  T  is  W-valid,  and 
since  j3  equals  /?',  the  world  w  must  satisfy  £.  Thus  to  show  that 
xv  satisfies  £'  it  suffices  to  show  that  w  assigns  q  the  label  false. 
Given  the  semantics  of  existential  links  it  suffices  to  show  that 
there  are  no  instances  of  m  in  xv.  The  semantics  of  closure  links 
state  that  a  color  c  is  an  instance  of  m  in  w  just  in  case  e  is  an 
instance  of  the  type  of  n  such  that  if  u?[n  :=  c]  is  an  assignment  of 
n  to  c  in  w  then  w[n  :=  c]  assigns  p  the  label  true.  Let  c  be  any 
instance  of  the  type  of  n  in  xv  and  let  «j[n  :=  c]  be  an  assignment 
of  n  to  c  in  tv.  To  show  that  there  are  no  instances  of  m  it  suffices 
to  show  that  xv[n  :=  c]  assigns  p  the  label  false.  By  the  above 
freedom  source  lemma  the  semantics  VV  contains  a  /3-assignment 
u>[/3,  n‘  :=  c]  of  n'  to  c  in  xv  and  any  such  /3-assignment  must 
assign  n  the  color  c.  Since  u>[/3,  n'  :=  c]  satisfies  /?,  and  since  T  is 
W-valid,  the  world  xv[/3,  n'  :=  c]  must  satisfy  the  labeling  L  and 
thus  w[/3 ,  n'  :=  c]  must  assign  p  the  label  false.  It  now  suffices  to 
show  that  in[n  :=  c]  agrees  with  xv[(3,  n1  :=  c]  on  the  formula  p. 
To  show  that  xv[n  c]  and  xv[0,  n'  :=  c]  agree  on  p  it  suffices  to 
show  that  these  two  worlds  agree  on  the  free  variables  of  p.  Both 
iu[n  :=  c]  and  w[/3,  n'  c]  assign  n  the  color  c.  Now  consider 
the  free  variables  of  p  other  than  n.  Since  no  free  variable  of  p 
other  than  n  /3-depends  on  n',  tn[/3,  n'  :=  c]  agrees  with  xv  on 
the  free  variables  of  p  other  than  n.  Furthermore,  the  definition 
of  an  Ontic  graph  states  that  no  free  variable  of  p  other  than  n 
directly  depends  on  n.  Thus  xv\n  :=  c]  also  agrees  with  xv  on  the 
free  variables  of  p  other  than  n.  Thus  w{n  :=  c]  and  xv[0,  n'  :=  c] 
agree  on  all  the  free  variables  of  p  and  thus  agree  on  p. 

Now  suppose  that  there  exists  a  formula  node  p  such  that  p 
can  be  proven  true  via  T ^-established- type- generalization  over 
a  variable  node  n  and  that  C  is  derived  from  C  by  assigning  p 
true.  In  this  case  there  exists  a  subtype  link  p  m  -<  m'  such 
that  m  is  the  type  node  of  n,  n  is  T -free  with  freedom  source  n' 
and  m'  is  a  ££?-established-type-node  for  n  such  that  ml  does  not 
/3-depend  on  n1.  To  show  that  T'  is  VV-valid  consider  a  world  xv 
that  satisfies  j3\  We  must  show  that  xv  satisfies  £ .  Since  T  is  VV- 
valid,  and  since  /?  equals  0',  the  world  xv  must  satisfy  £.  Thus  it 
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suffices  to  sho%v  that  w  assigns  p  the  label  true.  By  the  definition 
of  a  satisfactory  semantics  it  suffices  to  show  that  every  instances 
of  m  in  w  is  also  an  instances  of  m'  in  w.  Let  c  be  an  instance 
of  m  in  iv.  It  suffices  to  show  that  c  is  an  instance  of  m'  in  w. 
Since  the  variable  n  has  type  node  m.  the  color  c  is  an  instance 
of  the  type  of  n.  Thus  the  above  freedom  source  lemma  implies 
that  VV  contains  a  ^-assignment  w[0,  n'\  —  c]  of  n1  to  c  in  w  and 
any  such  d-assignment  assigns  n  the  color  c.  Since  w[0,  n'  \=  c] 
satisfies  3  and  since  T  is  W-valid,  rc[/?,  n'  :=  cj  must  satisfy  £. 
Now  since  m'  is  a  £-established-type-node  for  n  the  color  of  n  in 
w[0,  n'  :=  c]  must  be  an  instance  of  m'  in  w[0,  n'  :=  c].  Thus 
c  is  an  instance  of  m'  in  the  world  w[0,  n'  :=  c].  To  show  that 
c  is  an  instance  of  m'  in  w  it  now  suffices  to  show  that  w  and 
w[3,  n'  :=  c]  agree  on  m' .  But  this  follows  immediately  from  the 
assumption  that  m'  does  not  ,5-depend  on  n' . 

Now  consider  existential  generalization.  Suppose  that  Q  con¬ 
tains  an  existential  link  p  <=>  3m  such  that  there  exists  a  node 
r  such  that  m  is  a  £-estabhshed-type-node  of  r  and  that  £'  is 
derived  from  £  by  assigning  p  the  label  true.  To  show  that  T'  is 
W-valid  let  in  be  a  world  in  W  that  satisfies  /3'.  We  must  show 
that  w  satisfies  £'.  Since  0  equals  0'  and  since  T  is  W-valid  the 
world  w  must  satisfy  £.  To  show  that  w  satisfies  £  it  suffices  to 
show  that  w  assigns  p  the  label  true.  Since  w  satisfies  £,  and 
since  m  is  a  £-established-type-node  for  r,  the  color  of  r  in  w 
must  an  instance  of  m  in  w.  But  this  implies  that  there  exists 
an  instance  of  rr  in  w  so  by  the  semantics  of  existential  links  w 
must  assign  p  tl  e  label  true. 


5.6.2  Assumptions 


Recall  that  the  notion  of  W-validity  does  not  allow  for  assumptions;  to  prop¬ 
erly  handle  assumptions  one  must  deal  with  labelings  that  are  not  W-valid. 
To  deal  with  relations  that  not  W-valid  we  need  a  new  inference  relation 
— .  The  relation  —*qa  restricts  bindings  to  avoid  binding  variables  de- 
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pended  on  by  assumptions  in  A  and  also  restricts  universal  generalization  so 
that  one  does  not  generalize  over  variables  depended  on  by  assumptions  in 
A. 

Definition:  A.n  assumption  set  over  an  Ontic  graph  Q  is  a  set  A 
of  the  formula  nodes  in  Q. 

Let  G  be  an  Ontic  graph,  let  A  be  an  assumption  set  over  Q  and 
let  T  be  a  binding  labeling  of  Q  with  binding  set  /?. 

A  variable  node  n  is  called  AT -free  with  freedom  source  n'  just 
in  case  n  is  T-free  with  freedom  source  n'  and  no  element  of  A 
^-depends  on  n'. 

It  is  now  possible  to  define  the  forms  of  inference  associated  with  an  Ontic 
graph  under  a  set  of  assumptions. 

Definition:  Let  Q  be  an  Ontic  graph  and  let  A  be  an  assumption 
set  over  Q.  Let  T  be  a  binding  labeling  of  Q. 

We  say  that  a  formula  p  can  be  proven  false  by  AT Q -formula- 
generalization  over  a  variable  node  n  just  in  case  p  can  be  proven 
false  by  T  ^-formula-generalization  over  n  and  n  is  AT -free. 

We  say  that  a  formula  p  can  be  proven  true  by  AT Q- established- 
type- generalization  over  a  variable  node  n  just  in  case  p  can  be 
proven  true  by  T(?-established-type-generalization  over  .1  and  n 
is  .A"?  free. 

As  the  above  definition  indicates,  the  inferences  that  are  allowed  in  the  pres¬ 
ence  of  assumptions  are  slightly  different  from  the  inferences  that  are  allowed 
when  no  assumptions  are  present;  certain  universal  generalization  inferences 
may  be  allowed  in  the  absence  of  assumptions  but  not  allowed  when  assump¬ 
tions  are  present.  This  difference  in  the  allowed  inferences  is  reflected  in  a 
difference  in  the  notion  of  consistency. 
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Definition:  Let  Q  be  an  Ontic  graph,  let  T  be  a  binding  labeling 
of  Q  and  let  A  an  assumption  set  over  Q .  We  say  that  T  is  AQ - 
inconsistent  if  any  of  the  following  conditions  hold: 


•  The  color  and  truth  labeling  of  Tis  C-inconsistent  where  C 
is  the  congruence  constraint  graph  underlying  Q. 

•  There  exists  a  formula  node  p  which  can  be  proven  false  via 
.ATtz-formula-generalization  but  p  is  labeled  true  under  T. 

•  There  exists  a  formula  node  p  which  can  be  proven  true  via 
either  AT C7-established-type-generalization  or  T ^-existential- 
generalization  but  p  is  labeled  false  under  T. 


Given  a  definition  of  the  kinds  of  inferences  that  are  associated  with  Ontic 
graphs  under  assumptions  and  the  notion  of  ^^-inconsistency  we  can  now 
define  the  relation  — i . 


Definition:  Let  Q  be  an  Ontic  graph,  let  A  be  an  assumption 
set  over  Q,  and  let  T  and  T'  be  binding  labelings  of  Q.  We  write 
T  T'  if  either  T —*sa  T'  where  S  is  the  semantic  modulation 

graph  underlying  Q  or  else  T  is  AQ- consistent,  the  binding  set  of 
T'  equals  the  binding  set  of  T,  and  one  of  the  following  conditions 
holds: 

•  There  exists  a  formula  node  p  that  can  be  proven  false  via 
AT  ^-formula-generalization  and  the  truth  and  color  label¬ 
ing  of  T  is  the  result  of  assigning  p  the  label  false  in  the 
truth  and  color  labeling  of  T. 

•  There  exists  a  formula  node  p  that  can  be  proven  true  via  ei¬ 
ther  AT  £?-established-type-genera!ization  or  QT -existential- 
generalization  and  the  truth  and  color  labeling  of  T'  is  the 
result  of  assigning  p  the  label  true  in  the  truth  and  color 
labeling  of  T. 
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5.6.3  Soundness  under  Assumptions 

The  soundness  theorem  for  the  relation  — *qa  is  analogous  to  the  soundness 
theorem  for  —>sa  ■ 


-+GA  Soundness  Theorem:  Let  W  be  a  satisfactory  semantics 
for  an  Ontic  graph  Q  and  let  A  be  an  assumption  set  over  Q.  Let 
T  be  a  binding  labeling  with  an  empty  binding  set  and  such  that 
every  world  in  W  that  satisfies  A  also  satisfies  the  truth  and  color 
labeling  of  T.  Now  suppose  T  — *qa  *  T'  where  T'  has  binding 
set  0.  If  p  is  a  formula  node  such  that  p  is  labeled  true  under  £ 
and  no  variable  depended  on  by  p  is  bound  under  0  then  p  must 
be  labeled  true  in  all  worlds  in  W  that  satisfy  A. 

The  soundness  theorem  for  —>ga  can  be  proven  by  showing  that  —*ga 
preserves  >4 VV- validity.  Recall  that  T  is  .4.  VV- valid  if  the  binding  set  of  T  is 
.AW-legal  and  every  world  in  W  that  satisfies  both  A  and  the  binding  set  of 
T  also  satisfies  the  truth  and  color  labeling  of  T.  The  notion  of  -4W-validity 
is  defined  in  a  purely  semantic  way;  the  ,4W-validity  of  the  binding  labeling 
T  does  not  depend  on  any  graph  structure  and  need  not  be  redefined  here. 


—*GA  Preservation  Theorem:  Let  W  be  a  satisfactory  seman¬ 
tics  for  an  Ontic  graph  Q  and  let  A  be  an  assumption  set  for  Q. 

If  T  is  an  AW- valid  binding  labeling  and  T—*qa  T',  then  T  is 
also  >4 VV- valid. 

The  proof  of  the  -+ca  preservation  theorem  is  directly  analogous  to  the 
proof  of  the  — preservation  theorem  and  is  not  given  here.  The  proof  relies 
on  the  fact  that  if  n  is  AT-free  with  freedom  source  n'  then  no  element  of 
A  ^-depends  on  n'  where  0  is  the  binding  set  of  T .  More  specifically,  if 
n'  is  /3-free  and  no  element  of  A  /?- depends  on  n'  then,  by  definition,  n'  is 
A0-(ree.  Since  n'  is  A0-hev,  and  0  is  ,4W-legal,  ^-assignments  exist  for  n' 
in  all  worlds  that  satisfy  both  0  and  A.  If  n‘  were  0-fiee  but  not  A0-fvee 
then  the  >IW-Iegality  of  0  would  not  ensure  that  ^-assignments  exist  for  n! . 
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5.6.4  Focus,  Termination  and  Order  Independence 

Of  course  it  is  possible  to  control  the  generation  of  bindings  with  focus  ob¬ 
jects.  A  focus  set  over  an  Ontic  graph  Q  is  simply  a  subset  of  the  nodes  of  Q. 
One  can  define  the  relation  —+qsa  as  a  restriction  of  the  relation  —*qa  I  the 
relation  —>q?a  never  bindings  variables  which  are  ./"-protected,  only  binds 
variables  to  focus  objects  and  never  binds  two  variables  with  the  same  type 
node  to  the  same  focus  object.  Because  the  relation  — >c?a  is  a  restriction 
of  the  relation  — » *qa  it  clearly  preserves  .4VV-validity. 

Order  independence  for  the  relation  that.  — >qfa  requires  a  restriction 
an  universal  generalization  inferences.  More  specifically  the  freedom  source 
of  the  variable  being  generalized  over  in  a  universal  generalization  inference 
must  be  /"-protected.  This  ensures  that  no  binding  operation  allowed  under 
—*qfa  binds  the  freedom  source  involved  in  a  universal  generalization  infer¬ 
ence.  This  in  turn  ensures  that  all  allowed  universal  generalization  inferences 
commute  with  all  allowed  binding  operations.  This  restriction  on  universal 
generalization  inference  has  not  been  a  problem  in  practice. 


Chapter  6 

The  Ontic  Language 


The  formal  language  Ontic  consists  of  twenty  three  kinds  of  expression  plus 
seven  macros  that  provide  convenient  abbreviations  for  expressions.  The 
Ontic  compiler  converts  a  set  E  of  Ontic  expressions  to  an  Ontic  graph  G(£). 
The  graph  G(E)  is  simpler  than  the  set  £;  although  there  can  be  twenty  three 
different  kinds  of  expressions  in  E  there  are  only  nine  kinds  of  links  in  Ontic 
graphs.  The  compiler  is  described  in  chapter  7,  the  current  chapter  describes 
the  language  Ontic  and  various  syntactic  properties  of  that  language. 

There  are  several  aspects  of  the  syntax  of  the  Ontic  language  that  need 
explaining.  First  of  all,  most  of  the  axioms  of  Zermelo-Fraenkel  set  theory 
are  encoded  in  the  notion  of  a  syntactically  small  type  expression;  a  type 
expression  can  be  “reified”  as  a  set  only  if  the  type  expression  is  syntactically 
small.  This  chapter  also  describes  free  variables  and  substitution;  the  type 
system  used  in  the  Ontic  language  makes  these  notions  somewhat  complex. 


6.1  Non-Minimality  of  the  Ontic  Language 


The  Ontic  language  is  not  semantically  minimal;  many  of  the  constructs  in 
the  Ontic  language  could  be  semantically  defined  in  terms  of  more  basic  con¬ 
structs.  There  are  three  reasons  for  the  non-minimality  of  the  Ontic  language. 
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First,  the  Ontic  system  encodes  the  axioms  of  set  theory  in  the  syntax  of  the 
Ontic  language.  Second,  the  non-minimality  of  the  Ontic  language  allows  the 
compilation  process  to  generate  efficient  graph  structure.  There  is  an  analogy 
between  the  non- minimality  of  the  Ontic  language  and  the  non- minimality 
of  programming  languages  —  greater  efficiency  is  achieved  by  allowing  the 
compiler  to  directly  implement  certain  non-minimal  language  features.  Fi¬ 
nally,  directly  compiling  non-minimal  language  features  improves  the  input- 
output  behavior  of  the  system;  there  are  automatic  inferences  based  on  the 
graph  structure  generated  from  the  non-minimal  language  which  would  not 
be  done  automatically  if  the  compilation  process  was  restricted  to  a  minimal 
language. 

The  notion  of  a  syntactically  small  type  expression  encodes  many  of  the 
axioms  of  set  theory.  Rather  than  have  explicit  comprehension  axioms,  the 
Ontic  system  allows  the  construction  of  sets  of  the  form 

(THE-SET-DF-ALL  r) 

where  r  is  a  syntactically  small  type  expression.  Not  all  type  expressions  are 
syntactically  small;  the  types  SET,  GROUP,  FIELD,  or  TOPOLOGICAL-SPACE  are 
all  large  and  an  error  is  generated  if  an  attempt  is  made  to  construct  the  set 
of  all  sets  or  the  set  of  all  topological  spaces.  On  the  other  hand  if  s  is  a 
term  that  denotes  a  set  then  the  type 

(SUBSET-OF  s) 

is  syntactically  small  and  one  can  construct  the  set 

(THE-SET-OF-ALL  (SUBSET-OF  s)) 

The  smallness  of  types  of  the  form  (SUBSET-OF  s)  corresponds  to  the  axiom 
of  power  set;  for  every  set  s  there  exists  another  set  P(s)  such  that  P(s) 
contains  all  subsets  of  s.  The  smallness  of  types  of  the  form  (EITHER  ti 
corresponds  to  the  set  theoretic  axiom  of  pairing.  The  smallness  of  lambda 
types  corresponds  to  the  axiom  of  restricted  comprehension  and  the  smallness 
of  types  of  the  form  (RANGE-TYPE  /)  correspond  to  the  axioms  of  union,  and 
replacement. 

The  non- minimality  of  the  Ontic  language  also  allows  the  graph  G(£)  to 
be  smellier  than  it  would  be  otherwise.  For  example  consider  a  type  expression 
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of  the  form 

(OR-TYPE  rj  r2) 

An  object  is  an  instance  of  this  type  just  in  case  it  is  an  instance  of  either 
the  type  rx  or  the  type  r2.  Semantically  this  type  is  equivalent  to  the  type 

(LAMBDA  ((X  THING))  (OR  (IS  X  ra)  (IS  X  r2))) 

However  the  lambda  type  quantifies  over  the  type  THING  and  generates  ad¬ 
ditional  graph  structure  for  each  variable  of  type  THING.  By  implementing 
the  OR-TYPE  operator  as  a  primitive  one  can  avoid  quantifying  over  the  type 
THING  and  thus  create  less  graph  structure.  The  primitive  implementations 
of  IF,  EITHER  and  RANGE-TYPE  lead  to  similar  savings  in  the  amount  of  graph 
structure  created. 

The  non- minimality  of  the  Ontic  language  also  leads  to  greater  inferential 
power.  For  example  consider  the  reification  of  functions.  Expression  in  the 
Ontic  language  are  divided  into  five  syntactic  categories:  terms,  formulas, 
functions,  types  and  type-generators.  Of  these  five  categories  terms  are  the 
only  first  class  objects;  variables  can  be  bound  only  to  terms  and  only  terms 
can  be  used  to  specify  focus  objects.  However  certain  type  expressions  (syn¬ 
tactically  small  type  expressions)  can  be  reified .  i.e.  coerced  to  a  term  via  the 
operator  THE-SET-OF-ALL.  Furthermore,  functions  can  be  reified,  or  coerced 
to  terms,  via  the  operator  THE-RULE.  If  /  is  a  syntactically  small  function  ex¬ 
pression  which  takes  one  argument  then  the  Ontic  expression  (THE-RULE  /) 
denotes  the  set  of  pairs  that  corresponds  to  the  function  /.  Unlike  the  func¬ 
tion  expression  /,  the  term  expression  (THE-RULE  /)  is  a  first  class  object; 
variables  can  be  bound  to  it  and  it  can  be  used  as  a  focus  object  in  an  Ontic 
context.  The  operator  THE-RULE  is  not  semantically  minimal;  it  is  possible  to 
define  the  operator  THE-RULE  using  the  operator  THE-SET-OF-ALL.  However 
the  primitive  implementation  of  the  operator  THE-RULE  allows  the  system  to 
perform  inferences  in  a  single  step  that  would  take  many  steps  if  the  system 
were  forced  to  reason  purely  in  terms  of  the  operator  THE-SET-OF-ALL.  More 
specifically  the  Ontic  language  includes  the  operator  APPLY-RULE  such  that 
for  any  syntactically  small  function  /  of  one  argument  the  implementation 
of  the  operator  THE-RULE  allows  the  system  to  derive  the  following  equation 
in  a  single  step. 
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(IS  (APPLY-RULE  (TEE-RULE  /)  x ) 

(EQUAL-TO  (/  x ))) 

If  THE-R’JLE  were  a  macro  that  expanded  to  an  expression  involving  THE-SET-OF-ALL 
then  the  above  equation  would  have  to  be  proved  using  a  several  step  proof 
for  each  reified  funciion  /.  One  can  not  state  the  above  equation  as  a  lemma 
about  all  functions  because  one  can  not  quantify  over  functions.  However 
one  can  quantify  over  rules  and  the  operator  THE-RULE  provides  a  way  of 
reifying  syntactically  small  functions  as  rules. 


6.2  The  Ontic  Language 


The  expressions  in  the  Ontic  language  are  divided  into  four  categories:  terms, 
functions,  formulas,  types  and  type  generators.  Terms  are  expressions  that 
denote  mathematical  objects  such  as  sets,  pairs,  graphs,  partially  ordered 
sets  and  lattices.  Function  expressions  denote  operators  (functions)  that 
map  objects  to  objects.  Formulas  are  expressions  that  are  either  true  or  false 
in  any  given  interpretation.  Type  expressions  denote  one  place  predicates  on 
objects;  if  r  is  a  type  expression  and  the  predicate  denoted  by  r  is  true  of  an 
object  x,  then  we  say  that  x  is  an  instance  of  the  type  r.  Type  generators 
are  operators  which  take  arguments  (which  are  always  terms)  and  return  a 
type.  For  example  the  type  generator  GREATER-THAN  takes  a  partially 
ordered  set  P  and  an  element  x  of  P  and  returns  a  type  whose  instances  are 
the  elements  of  P  which  are  greater  than  x  under  the  ordering  imposed  by 
P. 


Function^,  types,  and  type  generators  can  be  A-expressions.  A  A-expression 
is  an  expression  of  the  form 

(LAMBDA  ((Xt  n)  (X2  r2)  ...  (X*  rk))  body ) 

A  A-expression  always  denotes  an  operator;  the  above  expression  is  an  op¬ 
erator  that  takes  k  arguments  where  each  argument  must  be  an  instance 
of  the  associated  type.  If  the  body  of  a  A-expression  is  a  formula  then  the 
expression  is  a  type  expression  and  is  only  allowed  to  take  one  argument.  If 
the  body  is  a  term  then  the  A-expression  is  a  function;  if  the  body  is  a  type 
then  the  A-expression  is  a  type  generator. 


vv 


N 


6.2.  THE  OS  TIC  LANGUAGE  181 

There  are  actually  two  versions  of  the  Ontic  language  which  differ  in  the 
way  variables  are  treated.  The  first  version  of  the  language  is  the  one  used 
in  the  top  level  user  interface.  In  this  external  version  of  the  Ontic  language 
a  variable  is  simply  a  symbol  such  as  X  and  the  same  symbol  can  be  used 
in  different  ways  in  different  contexts.  The  external  version  of  the  language 
should  be  distinguished  from  the  internal  version  where  individual  variables 
have  more  structure  and  stronger  identity. 

There  is  a  one  to  one  correspondence  between  the  nodes  in  the  graph 
generated  by  the  Ontic  compiler  and  expressions  in  the  internal  language. 
In  particular  there  is  a  one  to  one  correspondence  between  variable  nodes  in 
the  graph  structure  and  variables  of  the  internal  language.  This  one  to  one 
correspondence  would  be  impossible  for  the  external  language  because  the 
external  language  allows  a  given  symbol  to  be  used  as  variables  of  different 
types  in  different  contexts.  In  the  internal  version  of  the  Ontic  language 
each  variable  has  a  fixed  type  that  is  taken  to  be  a  syntactic  property  of  that 
variable.  The  following  A-type  is  an  example  of  an  external  expression: 

(LAMBDA  ((X  SET)) 

(IS-EVERY  (MEMBER-OF  X)  SET)) 

This  external  expression  gets  mapped  to  the  following  internal  expression 
(LAMBDA  USET) 

(IS-EVERY  (MEMBER-OF  xSET)  SET)) 

Note  that  in  the  translation  process  the  external  symbol  X  has  been  replaced 
by  the  internal  variable  xSET  of  type  SET. 


Only  the  internal  language  is  formally  defined  here.  Fortunately,  the 
external  and  internal  versions  of  the  Ontic  language  are  very  similar  and  the 
definition  of  the  external  language  should  be  clear  from  the  definition  of  the 
internal  language.  A  method  of  translating  external  expressions  into  internal 
expressions  is  discussed  in  a  later  section. 

An  internal  Ontic  expression  can  be  formally  defined  as  one  of  the  twenty 
three  different  kinds  of  expressions  listed  below. 
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Definition:  An  internal  Ontic  expression  is  one  of  the  following: 

•  A  type  expression  which  is  one  of  the  following: 

—  One  of  the  type  symbols  THING,  SET,  RULE  or  SYMBOL. 
The  type  SYMBOL  is  syntactically  small  while  the  types 
THING,  SET,  and  RULE  are  all  large. 

—  An  application  of  the  form  ( g  t\  £2...ffc)  where  g  is  a 
type  generator  of  k  arguments  and  each  £,  is  a  term.  A 
type  expression  of  this  form  is  syntactically  small  just 
in  case  the  type  generator  g  is  syntactically  small. 

—  A  A-type  of  the  form  (LAMBDA  ( xr )  $)  where  xT  is  vari¬ 
able  of  type  r  and  $  is  a  formula.  A  type  of  this  form 
is  syntactically  small  just  in  case  the  domain  type  r  is 
syntactically  small.  The  class  of  instances  of  this  type 
is  a  subclass  of  the  instances  of  the  type  r. 

-  An  expression  of  the  form  (OR-TYPE  rx  r2)  where  Ti 
and  r2  are  types.  A  type  expression  of  this  form  is  syn¬ 
tactically  small  just  in  case  both  the  types  T\  and  t2  are 
syntactically  small. 

-  An  expression  of  the  form  (RANGE-TYPE  /)  where  /  a 
function  expression  of  any  number  of  arguments.  A  type 
expression  of  this  form  is  syntactically  small  just  in  case 
the  function  expression  /  is  syntactically  small. 

•  A  term  which  is  one  of  the  following: 

—  A  variable  xT  where  r  is  a  type  expression.  Each  type 
r  is  associated  with  an  infinite  sequence  x\,  x xjj  . . . 
of  variables  of  type  r. 

—  An  application  of  the  form  (/  tx  t2  . . .  tk )  where  /  is  a 
function  expression  of  k  arguments  and  each  ti  is  a  term. 

-  An  expression  of  the  form  (THE-SET-OF-ALL  r)  where 
t  is  a  syntactically  small  type  expression. 

—  An  expression  of  the  form  (THE  r)  where  r  is  a  syntac¬ 
tically  small  type  expression. 

-  A  conditioned  expression  of  ti  e  form  (IF  $  fj  f2)  where 
$  is  a  formula  and  fi  and  t2  ire  terms. 
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-  An  expression  of  the  form  (THE-RULE  /)  where  /  is  a 
syntactically  small  A-function  of  one  argument. 

—  An  expression  of  the  form  (QUOTE  symbol )  where  symbol 
is  an  atomic  symbol. 

•  A  function  expression  which  is  one  of  the  following: 

-  A  A-func  'on  of  k  arguments  of  the  form 

(LAMBDA  (x[‘  x?  ...  x\k)  body ) 

where  each  x]'  is  a  variable  of  type  r,  and  body  is  a  term. 

A  A-function  is  syntactically  small  just  in  case  each  type 
expression  r,  is  syntactically  small. 

—  An  expression  of  the  form  (THE-FUNCTION  t )  where  t 
is  a  term.  The  term  t  should  denote  an  instance  of  the 
type  RULE,  i.e.  something  expressible  as  (THE-RULE  /) . 

All  functions  of  this  form  are  functions  of  one  argument 
and  are  syntactically  small. 

-  The  primitive  function  symbol  RULE-DOMAIN  which  is  a 
large  function  of  one  argument.  This  function  should 
only  be  applied  to  instances  of  the  type  RULE. 

•  A  formula  which  is  one  of  the  following: 

-  A  type  formula  of  the  form  (IS  t  r)  where  t  is  a  term 
and  r  is  a  type  expression. 

-  An  existence  formula  of  the  form  (EXISTS-SOME  r)  where 
t  is  a  type  expression. 

-  An  equality  of  the  form  (*  ei  62)  where  ex  and  e2  are 
any  internal  Ontic  expressions. 

-  A  Boolean  application  of  formulas  constructed  with  one 
of  the  boolean  operators  NOT,  OR,  AND,  IMPLIES,  or  IFF. 

-  A  subtype  formula  of  the  form  (IS-EVERY  <x  t)  where 
er  and  r  are  type  expressions. 

•  A  type  generator  expression  which  is  one  of  the  following: 

—  One  of  the  primitive  type  generators  EQUAL-TO,  MEMBER-OF, 
SUBSET-OF,  EITHER  or  RULE-BETWEEN.  The  type  gener- 
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ators  EITHER  and  RULE-BETWEEN  both  take  two  argu¬ 
ments,  all  the  others  take  one.  All  these  type  generators 
are  syntactically  small. 

-  A  non-primitive  type  generator  of  k  arguments  of  the 
form 

(LAMBDA  (x[‘  xT2  ...  xTkk )  body ) 

where  body  is  a  type  expression.  A  type  generator  of  this 
form  is  syntactically  small  just  in  case  the  type  body  is 
syntactically  small. 

•  An  unclassified  combinator  expression.  Combinator  expres¬ 
sions  are  generated  when  a  A-type  is  compiled  into  graph 
structure.  Combinator  expressions  are  discussed  in  chap¬ 
ter  7. 


The  large  size  of  the  internal  language  makes  it  difficult  to  define  prop¬ 
erties  of  expressions;  to  define  an  operation  on  internal  expressions  it  seems 
that  one  must  define  that  operation  on  each  of  the  twenty  three  different 
kinds  of  eynressions.  Fortunately  this  problem  can  be  avoided.  More  specifi¬ 
cally  the  twenty  three  different  kinds  of  expressions  can  be  classified  into  four 
groups:  atomic  expressions,  variables,  lambda  expressions,  and  extensional 
applications. 


Definition:  \n  atomic  expression  is  either  one  of  the  primitive 
type  symbols,  one  of  the  primitive  type  generator  symbols,  or  a 
quotation  of  the  form  (QUOTE  symbol)- 

A  A -expression  is  either  a  A-type,  a  A-function  or  a  non-primitive 
type  generator. 

An  extensional  application  is  an  expression  other  than  a  variable, 
an  atomic  expression  or  a  A-expression.  All  extensional  applica¬ 
tions  have  the  form 


(op  argi  arg2  ...  ary k) 
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6.3  Binding  and  Freedom 

There  are  some  subtleties  in  the  internal  language  concerning  the  notion  of 
a  free  variable.  The  external  formula 

(EXISTS  ((X  (MEMBER-OF  S))) 

(IS  X  (MEMBER-CF  U))) 

Is  an  abbreviation  for  the  external  formula 
(EXISTS-SOME 

(LAMBDA  ((X  (MEMBER-OF  S))) 

(IS  X  (MEMBER-OF  U)))) 

Which  corresponds  to  the  internal  formula 

(EXISTS-SOME 

(LAMBDA  (X«®n**-°F*SET>) 

(IS  *SET>  (MEMBER-OF  uSBT)))) 

This  formula  says  that  there  exists  a  member  of  sSET  which  is  also  a 
member  of  «SET.  Thus  the  variable  sSEX  must  be  a  free  variable  of  this  for¬ 
mula.  Note  however  that  sSET  appears  in  the  type  of  the  bound  variable 
x  (hehber-of  *  >  More  generally  consider  any  A- type  of  the  form 

(LAMBDA  ( xT )  $) 

A  free  variable  in  the  type  r  is  considered  to  be  free  in  the  A-type. 

In  general  consider  a  A-expression  of  the  form 

(LAMBDA  (xj1  x?  ...  x\k)  body ) 

If  this  A-expression  is  a  A-type  then  it  denotes  the  class  of  instances  of  that 
type.  If  the  A-expression  is  a  function  or  type  generator  then  it  denotes 
a  certain  class  of  tuples.  In  either  case  the  meaning  of  the  A-expression 
depends  on  the  classes  associated  with  the  types  r,  which  in  turn  can  depend 
on  the  interpretation  of  free  variables  in  the  type  expressions.  Thus  the  free 
variables  of  a  A-expression  include  free  variables  in  the  types  of  the  bound 
parameters. 
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Definition:  A  variable  y°  appears  free  in  an  internal  expression 
e  if  one  of  the  following  conditio  ns  hold* 

•  e  is  the  variable  ya . 

•  e  is  an  extensional  application 

(op  arg1  arg2  .  - .  argk) 

and  either  appears  free  in  the  operator  op  or  one  of  the 
arguments  argi 

»  e  is  a  '.-expression  of  the  form 

(LAMBDA  (x?  x^  ...  xTkk )  body ) 

where  ya  is  not  equal  to  any  x[*  and  ya  appears  free  either 
in  body  or  the  type  r,  of  some  formal  parameter  xj‘ . 


Note  that  in  A-functions  and  type  generators  of  more  than  one  argument  a 
free  variable  in  the  type  of  one  argument  may  be  bound  as  another  argument. 
For  example  consider  the  type  generator  GREATER-OR-EQUAL-TO  defined  in 
the  external  language  as  follows. 

(DEFTYPE  (GREATER-OR-EQUAL-TO  (X  (IN-USET  P))  (P  POSET)) 
(LAMBDA  ((Y  (IN-USET  P))) 

(OR  (-  Y  X) 

(IS  Y  (GREATER-THAN  X  P))))) 

The  type  generator  GREATER-OR-EQUAL-TO  takes  two  arguments  X  and  P 
where  P  is  a  partially  ordered  set  and  X  is  a  member  of  P.  The  above  defini¬ 
tion  introduces  the  symbol  GREATER-OR-EQUAL-TO  as  an  abbreviation  for  an 
internal  type  generator  of  the  form 

(LAMBDA  (x(I i-uset  prosCT)  body) 

In  this  expression  the  variable  pP0SET  which  appears  free  in  the  type  of  the 
bound  variable  X(I,_USET  p  >  is  bound  as  the  second  argument  and  thus 
does  not  appear  free  in  the  overall  expression. 
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The  definition  of  the  free  variables  of  an  expression  may  seem  problematic. 
In  particular  consider  an  external  A-expression  of  the  form 

(LAMBDA  ((X  (MEMBER-OF  Y))  (Y  (MEMBER-OF  X)))  body ) 

According  to  the  definition  given  above  both  occurrences  of  X  and  Y  in  the 
type  expressions  are  bound  as  arguments  to  the  A- expression.  But  there  is  a 
circularity  in  the  typing  of  the  formal  parameters;  the  expression  takes  two 
arguments  X  and  Y  where  X  is  a  member  of  Y  and  Y  is  a  member  of  X.  It  turns 
out  that  no  internal  A-expression  has  circularities  of  this  kind.  Any  attempt 
to  translate  circular  external  expressions  into  the  internal  language  produces 
an  error.  To  see  why  internal  A-expression  are  non-circular  we  need  to  define 
the  notion  of  rank  for  internal  expressions. 


Definition: 


•  If  e  is  an  atomic  expression  then  the  rank  of  e  is  0. 

•  If  e  is  a  variable  xT  then  the  rank  oi  e  is  one  greater  than 
the  rank  of  the  type  r. 

•  If  e  is  an  extensional  application 


ft 
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{op  argi  ar#  .  • .  argk) 

then  the  rank  of  e  is  one  greater  than  the  maximum  rank  of 
op  and  the  arguments  ary,-. 

•  If  e  is  a  A-expression 

(LAMBDA  (xp  xp  ...  xTkk)  body ) 

then  the  rank  of  e  is  one  greater  than  the  maximum  rank  of 
body  and  variables  xp. 


Lemma:  All  parameter  lists  in  the  internal  expression  are  non¬ 
circular,  i.e.  for  any  parameter  list  (xp  xp  ...  xp)  there  exists 
a  permutation  (yP  yp  ...  yp)  of  this  list  such  that  if  yj'  ap¬ 
pears  free  in  the  type  expression  r;  then  i  must  be  less  than  j. 
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Proof'  Let 

C2/11  y?  ■■■  ylkS> 

be  a  permutation  of  the  list  which  sorts  the  parameters  by  rank, 
i.e.  if  i  is  less  than  j  then  the  rank  of  yf  is  less  than  or  equal 
to  the  rank  of  yJJ.  Now  suppose  that  yj'  appears  free  in  r:.  We 
must  show  that  in  this  case  i  is  strictly  less  than  j.  It  follows 
from  the  definition  of  rank  that  if  y ,r'  appears  free  in  r:  then  the 
rank  of  r;  must  be  greater  than  the  rank  of  yf .  Furthermore  the 
rank  of  yTf  is  one  greater  than  the  rank  of  Tj.  Thus  the  rank  of 
yj'  must  be  less  then  the  rank  of  so  i  must  be  less  than  j. 


6.4  Translating  External  Expressions 


The  syntax  of  the  external  language  is  similar  to  the  syntax  of  the  internal 
language  except  that  external  symbols  are  used  rather  than  variables  and 
the  syntax  of  A-expressions  is  slightly  different.  The  definition  of  when  a 
symbol  X  appears  free  in  am  external  expression  e  is  directly  analogous  to  the 
corresponding  definition  for  the  internal  language. 

The  translation  of  an  external  expression  into  an  internal  expression  is 
defined  relative  to  a  symbol  translation  table  which  contains  entries  of  the 
form 

Xmc 

where  X  is  an  external  symbol  and  e  is  an  internal  expression.  Each  context 
in  the  Ontic  system  is  associated  with  a  particular  symbol  translation  table; 
different  translation  tables  are  used  in  different  contexts.  If  a  is  a  type 
expression  in  the  external  language  then  the  context  construction  operation 

(LET-BE  X  o) 

constructs  a  context  where  the  symbol  translation  table  includes  the  entry 

X  H-+  x"' 

where  x”'  is  an  internal  variable  of  type  o'  where  o'  h  the  type  expression  in 
the  internal  language  that  corresponds  to  the  external  type  expression  a.  If 
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t  is  a  term  in  the  external  language  then  the  context  constructor 

(LET-BE  X  0 

yields  a  -ontext  where  the  symbol  translation  table  contains  the  entry 

X -tt* 

where  t'  is  the  internal  term  corresponding  to  the  external  term  t.  The  same 
symbol  can  be  used  in  different  ways  in  different  contexts. 

Now  consider  an  external  A-expression  of  the  form 

(LAMBDA  ((X  r))  body ) 

To  translate  this  expression  relative  to  a  given  translation  map  p  the  system 
first  translates  the  external  type  expression  r  to  an  internal  expression  r'.  If 
there  is  some  free  symbol  in  r  which  is  not  mapped  by  p  then  the  translation 
of  r  fails.  The  system  then  chooses  an  internal  variable  xT  such  that  xr'  does 
not  appear  in  p,  i.e.  xT'  does  not  appear  free  in  any  term  t  which  is  the  right 
hand  side  of  a  mapping  Y  >-»  t  in  the  table  p.  The  system  then  translates 
body  relative  to  the  table  />[X» — ►  xr‘ ]  which  is  the  table  identical  to  p  except 
that  it  maps  X  to  xT' .  Let  body'  be  the  result  of  translating  body  relative  to 
this  modified  table.  The  overall  translation  process  then  yields  the  internal 
A-expression 

(LAMBDA  {xT')  body1) 

The  general  translation  process  can  be  precisely  defined  by  a  simple  case 
analysis  on  the  syntax  of  external  expressions. 


Definition:  If  e  is  an  external  expression  and  p  is  a  symbol 
translation  table  then  the  translation  Trans(e,  p)  of  the  expres¬ 
sion  e  with  respect  to  the  table  p  is  defined  as  follows: 

•  If  e  is  an  atomic  expression  then  Trans(e ,  p)  equals  e. 

•  If  e  is  an  external  symbol  then  Trans(e ,  p)  equals  p(e). 

9  If  e  is  an  application 
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then  Trans(e ,  p)  equals 

(Tran$(op,  p)  Trans{argl,  p)  Tran^ar^,  p)  ...  Trans(argk,  p)) 

•  If  e  is  a  lambda  expression  of  the  form 

(LAMBDA  C CXi  rj)  ...  (Xfc  rfc))  body) 
then  let  p'  be 

NewMap(p ,  ((Xt  r,)  ...  (Xfc  r*))) 

where  the  function  NewMap  is  defined  below.  The  transla¬ 
tion  Trans{t.,  p)  is  then  defined  to  be 

(LAMBDA  (p'(Xi)  ...  p'(Xfc))  Trans(body,  p')) 

Let  arglist  be  an  argument  list  of  the  form  (  (Xj  ri)  ...  (Xt  rk) ) 
and  let  p  be  a  symbol  translation  table.  If  arglist  is  empty  then 
the  translation  table  NewMap(p,  arglist)  equals  the  table  p.  If 
arglist  is  not  empty  then  the  table  NewMap(p ,  arglist)  is  defined 
as  follows: 

•  let  (X,  Tt  )  be  a  pair  in  arglist  such  there  is  no  pair  (Xj  Tj)  in 
arglist  such  that  Xj  appears  free  in  Tj.  If  no  such  pair  (X,  r,) 
exists  then  there  is  a  circularity  in  the  type  structure  of 
arglist  and  the  attempt  to  construct  a  new  translation  table 
fails. 

•  Let  t-  be  7rans(r,,  p)  and  let  xT>  be  the  first  variable  of  type 
t/  which  does  not  appear  in  p ,  i.e.  which  does  not  appear 
free  in  any  term  t  which  is  the  right  hand  side  of  a  mapping 
Y>->  t  in  p. 

•  Let  p'  be  the  table  /?[X,-  »->  xT>]  which  is  identical  to  p  ex¬ 
cept  that  it  maps  X^  to  x"  and  let  restargs  be  the  result  of 
removing  the  pair  (X,  r,)  from  arglist. 

•  NewMap(p,  arglist)  equals  NewMap(p',  restargs) 
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Lemma:  If  p’  is  a  translation  table  of  the  form 

NewMap{p.  ((Xi  rt)  ...  (Xk  ~k ))) 

then  for  any  pair  (X,  r,)  in  the  given  argument  list  p'(Xt)  is  an 
internal  variable  of  type  Transir.-.  p') 

When  translating  A-expressions  the  system  chooses  internal  variables  which 
replace  external  symbols.  The  internal  variables  of  each  type  r  are  ordered 
in  a  linear  sequence  jj,  x 3,  xl,  etc.  When  the  system  chooses  an  internal 
variable  of  type  r  it  always  chooses  the  first  acceptable  variable  in  this  se¬ 
quence.  In  this  way  the  least  possible  number  of  distinct  variables  appear  in 
the  internal  expression  resulting  from  the  translation.  Minimizing  the  num¬ 
ber  of  distinct  variable?  that  appear  in  the  output  expression  reduces  the 
size  of  the  graph  generated  by  the  compilation  process;  the  size  of  the  graph 
is  quite  sensitive  to  the  number  of  distinct  variables  of  a  given  type  which 
appear  in  the  expressions  being  compiled. 

6.5  Substitution 

Given  the  notion  of  a  free  variable  we  can  now  define  the  notion  of  substi¬ 
tution.  If  e  is  any  internal  expression *  ya  is  any  internal  variable,  and  t  is 
any  internal  term,  the  expression  e[f/yff]  is  the  result  of  replacing  all  free 
occurrences  of  ya  in  e  by  t  with  appropriate  renaming  of  bound  variables  in 
e.  For  example  suppose  e  is  a  A-expression  of  the  form 

(LAMBDA  vxp  x^  ...  xTkk )  body ) 

The  free  variables  of  this  expression  may  include  free  variables  in  the  type 
expressions  r,  and  computing  e[t/yff]  may  involve  substituting  into  a  type 
r,  of  a  formal  parameter.  Thus  if  e  is  a  lambda  expression  then  the  formal 
parameters  of  e[t/ya]  may  have  different  types  than  the  formal  parameters  of 
e  and  thus  the  formal  parameters  of  c\tlya\  must  be  different  from  the  formal 
parameters  of  e.  To  properly  define  substitution  for  internal  Ontic  expres¬ 
sions  one  must  use  the  more  general  notion  of  a  simultaneous  substitution 
for  a  set  of  expressions. 
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Definition:  A  substitution  x  is  a  finite  set  of  mappings  of  the 
form 

y°  ~  t 

where  jr  is  an  internal  variable  and  t  is  an  internal  term  and  a 
given  variable  has  at  most  one  mapping  under  a.-. 

The  expression  ^[t/y^)  is  defined  to  be  -v(e)  wuere  a-  is  the  sub¬ 
stitution  containing  the  single  mapping  ya  ►-+  t. 

For  any  substitution  a;  and  any  internal  expression  e,  the  expres¬ 
sion  x(e)  is  defined  as  follows: 

•  If  x  does  not  contain  a  mapping  for  any  free  variable  in  e 
then  a:(e)  equals  e. 

•  if  e  a  variable  ya  and  x  contains  a  mapping  of  the  form 
ya  *-*■  t  then  x(e)  equals  t. 

•  If  e  is  an  extensional  application  of  the  form 

(op  arg i  arg^  . . .  argk ) 


then  w(e)  equals 

(tu(op)  u?(«r$j)  x(arg2)  . . .  w(ar5fe)) 

•  If  e  is  a  A-expression  of  the  form 

(LAMBDA  (x[l  xTk)  body) 

then  let  fretvars  be  the  set  of  free  variables  of  e  then  let  x' 
be  the  substitution 

NewSubst(x,  (x{'  ...  xrk).  freevars) 

where  then  function  NtwSubsi  is  defined  below.  In  this  case 
x(e)  equals 


(LAMBDA  (u/(x[‘)  x'ix?)  ...x'(xrkk))  x'(body)) 
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Let  us  be  a  substitution,  let  argiist  be  an  argument  list  of  the  form 
(x[l  x'f  ...  xTkk)  and  let  freevars  be  a  set  variables.  If  argiist  is 
empty  then  the  substitution  NewSubst(u,  argiist ,  freevars)  equals 
the  substitution  If  argiist  is  not  empty  then 

.\7,  wSubst(  a; ,  a  rglist .  free  vars ) 
is  defined  as  follows: 


•  Let  xU  be  a  member  of  the  argument  list  such  that  no  vari¬ 
able  x in  the  argument  list  appears  free  in  r,.  Such  an 
argument  must  exist  because  there  must  be  some  argument 
of  least  rank. 

•  Let  z^r6  be  the  first  variable  of  type  u;(rt)  such  that  for 
every  variable  y°  in  freevars  either  there  exists  a  mapping 
ye  *-*  t  in  ui  and  r“^Td  does  not  occur  free  in  t  or  there  is  no 
mapping  y°  i->  t  in  u  and  z“Ui)  js  distinct  from  ya .  1 

•  Let  uj'  be  o;[i,T'  z^7*)]  which  is  identical  to  ui  except  that 

it  maps  x\'  to  zw(Td. 

•  Let  argiist 1  be  argiist  minus  the  argument  x[‘ . 

•  Let  freer  ar^  be  freevars  plus  the  variable  x[*. 

•  NewSubst(u> ,  arjllst,  freevars)  equals 

Ne~xSubst( u/,  argiist! ,  freevars !) 

Recall  that  for  each  type  r  the  variables  of  type  r  are  ordered  in  a  lin¬ 
ear  sequence  x[,  Xj,  x£,  etc.  The  above  algorithm  specifies  that  whenever 
bound  variables  are  renamed,  and  a  variable  of  type  r  must  be  '  hosen  as 
a  replacement  for  some  other  variable,  one  must  take  the  earliest  possible 
variable  of  type  r.  This  minimizes  the  number  of  variables  which  ultimately 
get  translated  into  graph  structure. 

‘The  first  condition  ensures  that  free  variables  introduced  by  uj  are  i  ot  captured  by  the 
new  bound  variables.  The  second  condition  ensures  that  members  of  freevars  not  mapped 
by  w  are  not  captured  by  the  new  bound  variables. 
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6.6  Macros 

The  External  language  includes  certain  macros  that  provide  convenient  ab¬ 
breviations.  The  most  important  macros  used  in  the  external  language  are 
EXISTS  and  FORALL.  The  external  expression 

(EXISTS  ((X  r))  $) 

is  an  abbreviation  for  the  external  formula 

(EXISTS-SOME 
(LAMBDA  ((X  r)) 

$)) 

In  general  the  quantifier  EXISTS  can  involve  more  than  one  bound  variable. 
For  example  consider  an  external  formula  of  the  form 

(EXISTS  ((X  (IN-USET  P)) 

(P  POSET)) 

This  formula  abbreviates  the  formula 

(EXISTS  ((P  POSET)) 

(EXISTS  ((X  (IN-USET  P))) 

$)) 

Which  becomes 

(EXISTS-SOME 

(LAMBDA  ((P  POSET)) 

(EXISTS-SOME 

(LAMBDA  ((X  (IN-USET  P))) 

*)))) 

In  general  the  formula 

(EXISTS  ((Xj  t,)  ...  (Xfc  rfe))  $) 

Abbreviates  the  formula 


>  ,*■  v,*.  %*  «s,U“  s'  \4  'J*4*!** m  -  *  *  *\*r.  -r. 


,  \  \  *  *  ■  V.  *  - 


A.v.  vv 
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(EXISTS  ((X, 

(EXISTS  C(X»  n) 

(X,-l  7"i  —  1  ) 

(X,+i  t1+1) 

(X*  rfc)) 

*)) 

Where  no  Xj  appears  free  in  r;.  This  requirement  insures  that  none  of  the 
bound  symbols  X,  appear  free  in  the  overall  expression.  If  every  r,  has  a  free 
occurrences  of  some  Xj  then  the  macro  expansion  fails. 

The  macro  FORALL  is  defined  in  terms  of  EXISTS.  More  specifically 


(FORALL  «Xi  n)  ...  (Xfc  n))  4) 


abbreviates 


(NOT  (EXISTS  C(Xx  n)  ...  (Xfc  rfc))  (NOT  $))) 


The  following  list  shows  some  additional  macros  where  a  and  each  r,  are 
external  type  expressions,  t  and  u  are  external  terms  /  is  an  external  function 
expression  of  one  argument,  each  X,  is  an  external  symbol  and  Y  and  Z  are 
external  symbols  distinct  from  all  X,-  and  which  do  not  appear  free  in  t,  u,  /, 
a  or  any  r,  . 


Macro  Expression 


(AND-TYPE  n  r2) 


Expansion 


(LAMBDA  ((Y  Tj)) 
(IS  Y  r2)) 
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(WRITABLE-AS  t 
(Xi  n) 

(Xfc  Tfc)) 


(WRITABLE-AS  a 
CXl  T\ ) 


(Xfc  Tfc)) 


(AT-MOST-ONE  <r) 


(EXACTLY-ONE  or) 


(APPLY-RULE  t  u) 


(RANGE-TYPE 

(LAMBDA  ((Xi  Ti) 

(Xfc  Tfc)) 


(WRITABLE-AS  Y 
(Xi  Ti) 

(Xfc  Tfc) 

(Y  a)) 

(FORALL  ((Y  or) 

(Z  <r)) 

(-  Z  Y)) 

(AND  (EXISTS-SOME  cr) 
(AT-MOST-ONE  <r)  ) 

( (THE-FUNCTION  t)  u) 


In  addition  to  the  macros  specified  above  the  external  language  allows 
some  simple  syntactic  abbreviations  involving  operators  and  macros  which 
take  a  single  type  as  an  argument.  More  specifically  the  expression 


abbreviates 


Similarly 


abbreviates 


(THE-SET-OF-ALL  ((X  r))  $) 


(THE-SET-OF-ALL  (LAMBDA  ((X  r))  $)) 


(THE  ((X  r))  $) 


(THE  (LAMBDA  ((X  r))  $)) 


The  operators  AT-MOST-ONE,  EXACTLY-ONE  and  THE-RULE  allow  for  similar 
abbreviations. 
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The  macros  EXISTS  and  FQRALL  also  allow  abbreviated  type  expressions  in 
the  list  of  bound  variables.  For  example  the  expression 

(FORALL  ((X  r  $))  #) 

says  that  'I'  holds  for  every  X  of  type  r  such  that  This  formula  abbreviates 
(FORALL  ((X  <j))  lI0  where  a  is  the  type  (LAMBDA  ((X  r))  $). 


6.7  Definitions 


Of  course  the  external  Ontic  language  allows  for  user  specified  definitions.  A 
definition  is  an  expression  of  the  form 

(DEFINE  symbol  e) 

where  symbol  is  an  external  symbol  and  e  is  any  external  expression.  A 
definition  of  this  form  alters  the  base  level  symbol  translation  table  so  that 
symbol  gets  translated  as  the  expression  e'  where  e'  is  the  internal  translation 
of  e. 

Definitions  can  be  made  more  concise  with  the  macros  DEFTYPE  and 
DEFTERM.  For  example  the  definition 

(DEFTYPE  symbol  r ) 


is  the  same  as 

(DEFINE  symbol  r) 

but  the  definition 

(DEFTYPE  ( symbol  (Xj  n)  ...  (Xfc  rk )) 
r) 

is  an  abbreviation  for  the  definition 

(DEFINE  symbol 

(LAMBDA  ( (Xj  n)  ...  (X*  rfc)) 
r)) 
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Similarly  the  definition 


is  the  same  as 
However,  the  definition 


(DEFTERM  symbol  u) 
(DEFINE  symbol  u) 


(DEFTERM  ( symbol  (Xt  n)  ...  (Xfe  rfc)) 
u) 

is  an  abbreviation  for  the  definition 

(DEFINE  symbol 

(LAMBDA  ((Xx  r,)  ...  (X*  r*)) 

u)) 


6.8  Summary 


The  external  Ontic  language  has  now  been  entirely  defined;  all  of  the  language 
constructs  that  appear  as  primitives  in  the  proof  given  in  the  appendix  have 
been  described  in  this  chapter.  A  procedure  has  been  given  for  translating 
expressions  in  the  external  language  into  an  internal  language  where  there  is 
a  one  to  one  correspondence  between  the  nodes  in  the  graph  generated  by  the 
Ontic  compiler  and  expressions  in  the  internal  language.  The  structure  of  the 
internal  language  has  been  discussed  in  detail,  including  the  notion  cf  free 
variables  and  a  procedure  for  performing  variable  substitutions  on  internal 
expressions.  The  next  section  shows  how  a  set  S  of  internal  Ontic  expressions 
can  be  converted  to  an  Ontic  graph  (/(£).  Ontic  graphs  are  simpler  than 
Ontic  expressions;  while  there  are  twenty  three  kinds  of  Ontic  expressions, 
the  Ontic  graphs  defined  in  chapter  5  have  only  five  kinds  of  nodes  and  nine 
kinds  of  links. 


Chapter  7 


The  Ontic  Compiler 


The  Ontic  system  compiles  a  set  £  of  Ontic  expressions  into  an  Ontic  graph 
G(£).  The  graph  structure  is  much  simpler  than  the  Ontic  language.  The 
node  and  link  types  of  Ontic  graphs  do  not  provide  the  distinguished  prim¬ 
itive  tvj  s  THING,  SET,  RULE  or  SYMBOL.  Ontic  graphs  make  no  distinction 
between  syntactically  small  and  syntactically  large  types.  The  node  and  link 
types  of  Ontic  graphs  do  not  provide  set  construction  operations  or  definite 
descriptions.  Ontic  graphs  have  no  explicit  provisions  for  defining  new  func¬ 
tions  or  type  generators  or  for  reify  functions  as  terms.  However,  in  spite  of 
the  relative  simplicity  of  Ontic  graphs,  it  is  possible  to  compile  internal  Ontic 
expressions  into  Ontic  graphs  in  a  way  that  implements  all  the  features  of 
the  Ontic  language. 


7.1  An  Overview  of  Compilation 

The  Ontic  compiler  takes  a  set  £  of  internal  Ontic  expressions  and  generates 
an  Ontic  graph  G( £).  Each  node  in  the  graph  G(£)  corresponds  to  some 
particular  expression  in  the  internal  Ontic  language,  although  the  expression 
represented  by  a  node  in  (?(£)  need  not  be  a  member  of  E.  The  notation 
C(£)  will  be  used  to  denote  the  set  of  expressions  that  correspond  to  the 
nodes  in  (?(£).  In  order  to  precisely  define  the  set  C(£)  each  internal  Ontic 
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expression  e  will  be  associated  with  a  set  Aux(e)  of  internal  Ontic  expressions 
called  the  auxiliary  expressions  for  e.  The  function  Aux  is  defined  on  a  case  by 
case  bases  in  later  sections.  The  set  C(£)  is  defined  relative  to  the  mapping 
/4  ux  as  follows: 


Definition:  The  auxiliary  closure  C(£)  of  a  set  of  expressions  £ 
is  the  least  set  of  expressions  such  that 

•  If  an  extensional  application  (op  argi  arg2  ...  argk)  is  in 
C(£)  then  op  and  each  argi  are  in  C(£). 

•  If  a  A-expression  (LAMBDA  (x*1  x%  ...  xrk )  body)  is  in  C(£) 
then  body  and  each  xj‘  is  in  C(£). 

•  If  a  variable  xT  is  in  C(£)  then  r  is  in  C(£). 

•  If  e  is  in  C(£)  then  C(£)  contains  Aux(e). 

•  Let  a  be  a  A-type  of  the  form  (LAMBDA  (xT)  $(zT))  and  let 
yr  be  a  variable  of  type  r.  If  both  a  and  yT  are  in  C(£)  then 
C(£)  also  contains  the  formula 

(IFF  (IS  yT  cr)  $(yr)) 

where  $(yT)  is  the  result  of  replacing  all  free  occurrences  of 
xr  in  $  with  yT  as  discussed  in  chapter  6. 

There  is  a  direct  one-to-one  correspondence  between  the  expressions  in 
C(£)  and  the  nodes  in  the  Ontic  graph  G(£);  If  e  is  in  G(£)  then  the 
node  represented  by  e  is  written  as  ne.  Recall  that  the  nodes  in  an  Ontic 
graph  come  in  five  types:  formula  nodes,  quotation  nodes,  variable  nodes, 
type  nodes,  and  unclassified  nodes.  The  nodes  in  the  Ontic  graph  G(£) 
that  correspond  to  Ontic  formulas,  quotation  expressions,  Ontic  variables, 
and  types  expressions,  are  classified  in  the  obvious  way.  The  nodes  corre¬ 
sponding  to  all  other  expressions  are  unclassified.  Note  that  if  an  extensional 
application  (op  aryj  ary?  ...  argk )  is  in  C(£)  then  C(£)  also  contains  the 
operator  op.  This  implies  that  C(£)  contains  “expressions”  such  as  IMPLIES 
and  EXISTS-SQME  which  are  not  technically  Ontic  expressions.  Thus  the 
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graph  (?(E)  contains  unclassified  nodes  that  correspond  to  operators  such  as 
IMPLIES  and  EXISTS-SOME. 

Just  as  the  set  C(E)  is  defined  relative  to  an  auxiliary  mapping  Aux,  the 
links  in  the  graph  G(E)  are  defined  relative  to  a  meaning  postulate  mapping 
M.  More  specifically  each  expression  e  in  the  internal  Ontic  language  is  asso¬ 
ciated  with  a  set  M(e)  of  meaning  postulates  where  each  meaning  postulate 
in  M(e)  is  a  clause  link 

V  $2  V  . . .  ipfc 

where  each  XJ>,  is  a  literal  involving  a  node  n,  where  s  is  either  the  expression 
e,  a  subexpression  of  e  or  a  member  of  Aux(e).  The  mapping  M  which  assigns 
every  expression  a  set  of  meaning  postulates  is  defined  on  a  case  by  case  basis 
in  later  sections.  Recall  that  Ontic  graphs  have  nine  kinds  of  links:  clause 
links,  equality  links,  subexpression  links,  free  variable  links,  type  declaration 
links,  type  formula  links,  subtype  links,  existence  links,  and  closure  links. 
The  complete  Ontic  graph  G(E)  is  defined  relative  to  the  meaning  postulate 
map  M  as  follows: 

•  The  nodes  of  G(E)  consist  of  all  nodes  of  the  form  ne  where  e  is  an 
expression  in  C(E). 

•  The  clauses  in  G(£)  are  given  as  follows: 

—  G(E)  includes  all  clauses  in  M(e)  for  e  in  G(£). 

—  If  <r  is  the  A-type  (LAMBDA  ( xT )  $(arT))  and  yT  is  a  variable  of 
type  r  and  both  er  and  yT  are  in  G(E)  then  G(£)  includes  the 
clause 

“^crnsTS-soms  r)  V  ri(IFF  (I3  yr  t(yr)) 

where  $(yr)  is  the  result  of  replacing  all  free  occurrences  of  xT 
in  $  with  yr  as  discussed  in  chapter  6.  The  significance  of  such 
clauses  is  discussed  below. 

•  The  equality  links  in  G(£)  consist  of 

—  All  links  of  the  form 


»*(IS  ti  (EQUAL-TO  t2))  &  nh  =  ntj 
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where  the  formula  (IS  t\  (EQUAL-TO  1 2))  is  in  G(E). 

-  All  links  of  the  form 

n(lFF  p  ?>  =>  T:p  ~  nq 

where  the  formula  (IFF  p  q)  is  In  C(E). 

-  All  links  of  the  form 

n(=  ei  C2))  ^ 

where  the  formula  (=  ex  62))  is  in  C(E). 

The  subexpression  links  in  G(E)  consist  of  all  links  of  the  form 

(n0p  Tlarai  .  .  .  n#ryk  )  =  U(op  it]]  »rj2  . . .  arj*) 

where  the  extensional  application  (op  argx  arg2  . . .  argT)  is  in  C(S). 
The  free  variable  links  in  G(E)  consist  of  all  links  of  the  form 

nxr  <  ne 

where  e  is  an  expression  in  C(E)  such  that  iT  appears  free  in  e. 
The  type  declaration  links  in  G(E)  consist  of  all  links  of  the  form 

4  Tir 

where  xr  is  in  C(E). 

The  type  formula  links  in  G(E)  consist  of  ali  links  of  the  form 

(IS  U  t}  ^  .  tlf 

where  the  formula  (IS  u  r)  is  member  of  C(E). 

The  subtype  links  in  G(E)  consist  of  all  links  of  the  form 

rc<is-EVErr  a  t)  4^  n„  nT 

where  the  formula  (IS-EVERY  <7  r)  is  a  member  of  C(E). 
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•  The  existence  formula  links  in  (7(E)  consist  of  all  links  of  the  form 

(EXISTS -SOME  r)  ^  3nT 

where  the  formula  (EXISTS-SOME  r)  is  a  member  of  C(E). 

•  The  closure  links  in  G(E)  consist  of  all  links  of  the  form 

—  U (LAMBDA  (xT)  <J>(xT)) 

where  (LAMBDA  (xT)  $(xr))  is  a  A-type  in  C(E),  yT  is  a  variable  of 
type  r  in  C(S)  such  that  yr  does  not  appear  free  in  (LAMBDA  (iT) 
$(xT))  and  $(yr)  is  the  result  of  replacing  all  free  occurrences  of  xT  in 
$  by  yT. 


The  complete  specification  of  the  set  C( E)  and  the  graph  (?(£)  depends 
on  a  specification  of  the  mappings  Aux  and  M  which  give  the  Auxiliary 
expressions  and  the  meaning  postulates  respectively  that  are  associated  with 
any  given  expression.  The  mappings  Aux  and  M  are  defined  on  a  case  by  case 
basis  in  the  iollowing  sections.  The  significance  of  each  meaning  postulate  is 
also  discussed. 


7.2  A- Types  and  Variables 


A- types  and  variables  are  of  central  importance  in  the  Ontic  system;  all 
quantification  involves  the  interaction  of  A-types  and  variables.  The  graph 
(7(E)  contains  meaning  postulates  for  individual  A-types,  meaning  postulates 
for  individual  variables,  and  clauses  which  are  generated  by  a  combination 
of  a  A-type  and  a  variable. 

The  meaning  postulates  for  individual  A-types  and  variables  are  fairly 
simple.  If  u  is  the  A-type  (LAMBDA  (rT)  $)  then  <r  is  a  subtype  of  t;  every 
instance  of  a  is  an  instance  of  r.  Thus  cr  has  the  auxiliary  expression 

(IS-EVEP.Y  <7  r) 


>•«  ,*•  ,  »  ,  » v  V  V  V  V  v.v.v.  A  f,  *  . 


■ 
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The  meaning  postulates  for  j  include  a  clause  that  contains  only  the  node 
for  the  above  subtype  expression.  This  clause  ensures  that  the  node  for 
the  subtype  expression  is  true  in  any  consistent  normalized  labeling.  The 
auxiliary  expressions  for  the  A-type  a  also  include  (EXISTS-SOME  er)  and 
(EXISTS-SGME  r)  and  the  meaning  postulates  for  a  include  the  clause 

-’tt(EIIS7S-SD»ffi  o')  V  n(£ji$TS-sOHE  t> 

This  clause  states  that  if  there  exists  an  instance  of  a  then  there  exists  an 
instance  of  t.  While  this  last  clause  is  semantically  redundant  it  forces  certain 
inferences  which  would  not  be  performed  otherwise. 

There  are  also  meaning  postulates  for  A-types  which  allow  congruence  clo¬ 
sure  to  operate  on  A-types.  In  fact  every  A-expression  in  the  Ontic  language 
has  an  auxiliary  combinatcr  expression.  More  specifically  there  is  a  func¬ 
tion  Comb~Trans  which  converts  A-expressions  into  combinator  form.  For 
any  A-expression  e  the  combinator  expression  Comb-Trans(e)  is  an  auxiliary 
expression  of  e.  The  meaning  postulates  for  e  include  the  clause  containing 
the  single  node 

e  Comi-Tram(e)) 

This  clause  ensures  that  ne  is  equivalent  to  new*- Trance)* 

Combinator  expressions  allow  congruence  closure  to  act  on  A-expressions. 
For  example  consider  the  two  lambda  types 

(LAMBDA  (xT)  (IS  u  (RELATED-TO  xT))) 

(LAMBDA  (xT)  (IS  w  (RELATED-TD  xT))) 

where  u  and  w  are  terms  which  do  not  contain  xT  as  a  free  variable.  If  both 
of  the  above  expressions  are  in  C(E)  and  if  a  particular  labeling  C  of  C?(£) 
makes  the  node  for  u  equivalent  to  the  node  for  w,  then  £  will  equate  the 
nodes  for  these  two  A-expressions.  Note  that  if  xT  appears  free  in  either  u  or 
v  then  this  congruence  inference  is  not  valid. 

Combinator  conversion  algorithms  are  discussed  in  [Turner  79]  and  will 
not  be  described  here.  Combinator  expressions  axe  used  solely  for  congruence 
closure  on  A-expressions;  combinator  expressions  have  no  auxiliary  expres¬ 
sions  or  meaning  postulates.  However  combinator  expressions  are  extensional 
applications  and  therefore  generate  subexpression  links. 


a  'A-vvvy- wv vv-  j.\ 
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Each  individual  variable  also  has  some  auxiliary  expressions  and  a  mean¬ 
ing  postulate.  If  xT  is  a  variable  of  type  r  then  the  auxiliary  expressions  for 
xT  consist  of  the  formulas  (EXISTS-SOME  r)  and  (IS  xT  t).  The  meaning 
postulates  for  xT  consists  of  the  the  single  clause 

“'^(EIISTS-SGKE  r )  V  77  ( jS  xT  r) 


This  clause  says  that  if  there  exists  any  instance  of  the  type  r  then  xT  is 
an  instance  of  r.  This  clause  ensures  that  in  any  consistent  normalized 
labeling,  if  the  node  7t(EiisTs-sc«K  is  labeled  true  then  the  type  node  nT  is 
an  established  type  node  for  the  variable  node  nx r. 

In  addition  to  the  auxiliary  expressions  and  meaning  postulates  for  in¬ 
dividual  A-types  and  variables  there  axe  expressions  and  clauses  which  are 
generated  by  a  combination  of  a  A-type  and  a  variable.  Suppose  that  C(£) 
includes  both  a  A-type  (LAMBDA  (xr)  $(xT))  a  variable  yr  of  type  r.  Let 
a  be  the  lambda  type  (LAMBDA  (xT)  $(xr)).  Under  these  conditions  C(S) 
includes  the  formulas 

(EXISTS-SOME  r) 


and 

(IFF  (IS  yT  a)  <5(yr)) 


where  $(yT)  is  the  result  of  substituting  yr  for  all  free  occurrences  of  xT  in  $ 
as  discussed  in  chapter  6.  Furthermore  the  graph  G(E)  includes  the  clause 


(EHSTS-SOHE  r)  V  n(IFF  (JS  yr 

This  clause  says  that,  as  long  as  there  exist  instances  of  the  type  t,  the 
formula  (IS  yT  a)  is  equivalent  to  $(yT).  This  equivalence  can  be  viewed 
as  a  definition  of  the  type  <j.x  More  specifically,  suppose  that  the  system  is 
focusing  on  a  term  u  of  type  r  and  the  system  is  to  determine  if  u  is  of  type 
a  (which  is  a  more  specific  type  than  r).  The  above  equivalence  says  that  u 
is  of  type  <7  just  in  case  the  formula  $(u)  is  true.  For  simplicity  suppose  that 
the  formulas  (IS  u  tr)  and  $(u)  have  been  compiled,  i.e.  that  they  are  both 
m  (7(E).  Since  u  is  of  type  r  the  system  can  generate  the  binding  yT  >— >  u. 
But  if  yT  and  u  are  equivalent  then  by  congruence  closure  the  formula  (IS  yr 

Actually  the  equivalence  provides  only  a  partial  definition;  it  does  not  state  the  addi¬ 
tional  condition  that  a  is  a  subtype  of  r. 
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♦ 


a )  is  equivalent  to  the  formula  (IS  u  a')  and  <b(yT)  is  equivalent  to  $(u).  2 
Thus  the  binding 

together  with  the  truth  of  the  equivalence 

(IFF  (IS  yr  ff)  $) 

causes  the  formula  (IS  u  cr)  to  be  equivalent  to  $(u). 

In  the  presence  of  the  binding  yr  •-*  u  the  equivalence 

(IFF  (IS  yr  a )  $(yT)) 

can  be  used  to  determine  if  u  is  of  type  a  even  when  the  formulas  (IS  u  a) 
and  *(u)  have  not  been  compiled,  i.e.  are  not  in  C(E).  In  the  presence  of  the 
binding  yT  u  the  semantic  modulation  inference  mechanisms  ensure  that 
the  nodes  n9 <■  and  nu  are  virtually  indistinguishable  and  that  the  formulas 
(IS  yT  a)  and  $(yT)  behave  exactly  as  the  formulas  (IS  u  cr)  and  4>(u) 
would  behave  if  they  were  compiled. 


rw 


In  general  there  can  be  more  than  one  variable  of  type  r.  The  definition 
of  cr  is  stated  in  terms  of  each  variable  of  type  r.  This  helps  to  ensure  the 
homogeneity  of  the  generated  graph:  different  variables  nodes  with  the  same 
type  are  identical  in  that  they  carry  exactly  the  same  information. 
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7.3  Meaning  Postulates  with  Quantifiers 

If  the  lemma  library  contains  a  formula  of  the  form  (FORALL  (xT)  $(xT)) 
then  for  each  variable  yT  of  type  r  the  compilation  process  should  generate 
the  formula  $(yr)  which  is  the  result  of  replacing  all  free  occurrences  of  xT  in 
$  with  yT.  In  this  way  the  compiler  should  ensure  that  all  information  known 
to  hold  of  the  type  r  is  copied  for  each  variable  of  type  r  and  any  binding  of 
the  form  yr  *-»  u  causes  the  term  u  to  inherit  information  known  to  hold  of 

^Because  combinator  expressions  ensure  that  congruence  closure  is  operates  on  A- 
expressions  the  binding  yr  *-»  u  causes  $(yT)  to  be  equivalent  to  $(t>)  even  in  the  case 
wheie  yT  appears  free  inside  A-expressions  contained  in  $(yr). 


.  V  .  "w  -v  . 


--  j  v  .-  W  v  v  v  /V  v  v  ’ j-V  '  -  A-  vi>.v.v).-.v 
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the  type  r.  The  formula  (FORALL  (xT)  $(xr))  is  actually  an  abbreviation 
for 


(NOT 

(EXISTS-SOME 
(LAMBDA  (rr) 

(NOT  $(xr))))) 

If  the  above  formula  is  true  the  system  should  ensure  that  the  formula 
<I>((/r)  is  true.  This  is  done  via  a  meaning  postulate  for  type  assertion  for¬ 
mulas.  More  specifically  the  meaning  postulates  for  a  type  assertion  formula 
(IS  u  a )  consist  of  the  single  clause 

"’ft (IS  ti  cr)  V  71  (g XISTS-SOHE  a) 

This  clause  states  that  if  u  is  an  instance  of  type  r  then  there  exist  instances 
of  type  r.  The  clause  also  states  the  equally  important  condition  that  if 
there  are  no  instances  of  <7  then  u  is  not  an  instance  of  a.  In  particular,  if 
there  are  no  instances  of  cr  then  yr  is  not  an  instance  of  a.  Given  the  above 
meaning  postulate  for  type  assertion  formulas  and  the  meaning  postulates 
discussed  in  the  previous  section,  one  can  prove  an  important  lemma  about 
quantification  in  the  Ontic  system. 


Lemma:  If  the  formula  (FORALL  (xT)  $(xr))  is  in  C(S)  and 
y'  is  a  variable  of  type  r  in  C(£)  then  C(E)  also  includes  $(yr). 
Furthermore  if  C  is  a  consistent  normalized  labeling  of  G(E)  such 
that  C  assigns  the  label  true  to  the  nodes  for  (EXISTS-SOME  r) 
and  (FORALL  (xr)  $(xT))  then  C  also  assigns  the  label  true  to 
the  node  for  $(yT). 

Proof:  C(L)  includes  the  formula 

(NOT 

(EXISTS-SOME 
(LAMBDA  (zT) 

(NOT  $(zr)))>) 
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Let  a  be  the  A- type 

(lambda  (xr)  (not  ${xt))) 

Since  both  a  and  yr  are  in  C(E)  the  equivalence 
(IFF  (IS  yT  a)  (NOT  ${yT))) 

must  also  be  in  C(S)  and  thus  the  formula  $(yT)  is  in  C(S).  Fur¬ 
thermore  the  formula  (IS  yT  a )  is  in  C(E)  and  so  G(S)  includes 
the  clause 

^(IS  yT  tr)  V  tl  (E1ISTS-S0KE  c) 

Now  if  C  assigns  the  above  universal  formula  the  label  true  it 
must  assign  the  node  for  (EXISTS-SOME  a)  the  label  false.  Thus 
the  node  for  (IS  yT  a)  must  also  be  assigned  false.  Furthermore 
G(E)  contains  the  clause 

“’n<EHSTS-SOHE  t)  V  n<1Fr  <IS  yr  a )  CIOT  <J(yT))) 

Since  C  assigns  the  the  node  for  (EXISTS-SOME  r)  the  label  true, 
£  must  also  assign  the  label  true  to  the  node  for 

(IFF  (IS  yT  <r )  (NOT 

But  since  the  node  for  (IS  yT  a)  is  assigned  false,  the  node  for 
(NOT  $(yT))  must  also  be  assigned  false.  But  this  implies  that 
the  node  for  $(j/r)  is  assigned  true. 


The  expression 

(FORALL  (jfp  x?  ...  *?)  ®) 

is  an  abbreviation  for  nested  universal  quantification  as  described  in  chap¬ 
ter  6.  The  above  lemma  for  a  single  universal  quantifier  immediately  general¬ 
izes  to  multiple  universal  quantification;  a  universal  formula  which  quantifies 
over  several  variables  will  be  instantiated  with  all  variables  of  the  appropriate 
type. 
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Several  kinds  of  Ontic  expressions  have  meaning  postulates  that  involve 
quantification.  For  example  let  /  be  a  A-function  or  non-primitive  type 
generator  of  the  form 

(LAMBDA  (x[‘  x22  xkk )  body) 

The  A-expression  /  has  the  single  auxiliary  expression 


(FORALL  (xj1  x?  ...  xThk) 

(-  (/  xp  X?  ...  x?> 

6ody) ) 

The  meaning  postulates  for  /  consist  of  a  single  singleton  clause  which  states 
that  the  above  formula  is  true.  This  formula  serves  as  the  definition  for 
the  operator  /.  In  order  for  this  definition  to  be  invoked  on  an  expres¬ 
sion  (/  ui  v.2  ...  «*)  variables  of  the  appropriate  type  must  be  bound 
to  the  arguments  iti  u2  ...  u*.  Once  this  has  been  done  the  application 
(/  «)  ti2  ...  uU)  will  be  equivalent  to  an  appropriate  substitution  instance 
of  body.  However  in  order  to  get  variables  of  the  proper  type  bound  to  the 
arguments  one  must  focus  on  the  arguments.  Thus  in  order  to  invoke  the  def¬ 
inition  of  an  operator  /  in  an  application  (/  it-  tt2  •  •  •  it*)  one  must  focus 
on  all  the  arguments  it,. 

Semantically,  the  type  generator  EITHER  could  be  defined  as 


(LAMBDA  (x711*0  y7*110) 
(LAMBDA  (znim) 

(OR  (-  zTHI,°  x71110 

^THIIO  yTHIIQ 


) 

)))) 


Note  however  that  if  EITHER  where  simply  an  abbreviation  for  the  above 
expression  then  types  of  the  form  (EITHER  it  w )  would  not  be  syntactically 
small.  Furthermore,  and  more  seriously,  invoking  the  above  definition  in 
a  particular  application  requires  focusing  on  the  arguments  to  the  operator 
EITHER.  The  usefulness  of  the  operator  EITHER  is  greatly  improved  by  making 
EITHER  a  primitive  type  generator  and  constructing  meaning  postulates  for 
every  type  of  the  form  (EITHER  u  it;). 


Let  a  be  a  type  expression  of  the  form  (EITHER  u  w).  The  type  a  has 
the  auxiliary  expressions 
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(IS  u  cr) 

(IS  w  a) 

(FORALL  (xM 
(OR  (=  x°  u) 

(=  xa  w ))) 

The  meaning  postulates  for  a  consist  of  three  singleton  clauses  which  state 
that  each  of  the  above  formulas  is  true. 

Let  cr  be  a  type  expression  of  the  form  (OR-TYPE  rx  r2)  .  The  type  a  has 
the  auxiliary  expressions 

(IS-EVERY  n  cr) 

(IS-EVERY  r2  a) 

(FORALL  (xff) 

(OR  (IS  x°  n) 

(IS  x *  r2))) 

The  meaning  postulates  for  a  consist  of  three  singleton  clauses  which  state 
that  each  of  the  above  formulas  is  true. 

Let  /  be  a  A-function  of  the  form 

(LAMBDA  (*?  x?  ...  X?)  body) 

and  let  a  be  the  type  expression  (RANGE-TYPE  /) .  The  type  expression  cr 
has  two  auxiliary  formulas: 

(FORALL  (xj1  x?  ...  *?) 

(is  body  cr)) 

(FORALL  Cya) 

(EXISTS  (x?  x?  ...  xTkk) 

(■  y*  body))) 

The  meaning  postulates  for  cr  consist  of  two  singleton  clauses  which  assert 
that  the  above  formulas  are  true.  These  formulas  constitute  a  definition  of 
the  type  o. 

Let  u  be  the  term  (THE  r)  where  r  is  any  type  expression.  The  term  u  has 
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the  auxiliary  expressions 

(EXACTLY- ONE  r) 

(IS  u  r) 

(FORALL  (xT)  (=  xT  u )) 

where  these  expressions  abbreviate  internal  Ontic  expressions  as  described 
in  chapter  6.  The  term  u  has  meaning  postulates 

-in(EIiCTLY-Q«E  t)  V  Tins  u  r> 

~ '^(EIICTLY-QIE  r)  V  n<F0RAU,  Car*-)  (-  xr  u)) 

These  meaning  postulate  states  that  if  there  is  exactly  one  object  of  type  r 
then  it  is  of  type  r  and  everything  of  type  r  is  equal  to  it. 


7.4  Reification  Expressions 

The  Ontic  system  can  only  focus  on  terms;  in  order  to  focus  on  types, 
functions,  or  type  generators  the  system  must  first  coerce  these  objects 
to  terms.  The  process  of  coercing  a  higher  order  object  to  a  first  order 
term  is  called  reification.  The  Ontic  language  has  two  reification  operators: 
THE-SET-OF-ALL  which  coerces  a  type  to  a  set,  and  THE-RULE  which  coerces 
a  function  of  one  argument  to  a  set  of  pairs.  Both  of  these  reification  op¬ 
erators  can  only  be  applied  to  syntactically  small  objects,  e.g.  one  can  not 
construct  a  set  of  all  sets. 

Let  s  be  an  expression  of  the  form  (THE-SET-OF-ALL  t)  where  r  is  a 
syntactically  small  type  expression.  The  auxiliary  expressions  for  s  consist 
of  the  formulas  (IS  s  SET)  and  (“  r  (MEMBER-OF  s))  and  the  meaning 
postulates  for  s  consist  of  two  singleton  clauses  which  assert  that  these  two 
formulas  are  true. 

Now  consider  the  other  reification  operator,  THE-RULE.  Let  /  be  the  A- 
function  (LAMBDA  (xr)  it)  where  r  is  a  syntactically  small  type  expression 
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and  let  r  be  the  term  (THE-RULE  /) .  The  term  r  has  three  auxiliary  expres¬ 
sions: 

(IS  r  RULE) 

(=  (THE-FUNCTION  r)  /) 

(=  (RULE-DOMAIN  r)  (THE-SET-QF-ALL  r)) 

The  meaning  postulates  for  r  consist  of  three  singleton  clauses  which  state 
that  each  of  the  the  auxiliary  formulas  must  be  true. 

The  meaning  postulates  for  expressions  of  the  form  (THE-RULE  /)  do 
not  force  this  expression  to  denote  a  set  of  pairs;  the  meaning  postulates  do 
not  force  any  particular  implementation  of  a  rule  in  terms  of  sets.  However 
the  meaning  postulates  are  sufficient  to  recover  all  of  the  information  in  the 
rule;  if  r  is  the  expression  (THE-RULE  /)  then  one  can  construct  the  set  of 
pairs  corresponding  to  r  from  the  function  (THE-FUNCTION  r)  and  the  set 
(RULE-DOMAIN  r). 


7.5  Miscellaneous  Meaning  Postulates 

Let  u  be  the  term  (IF  $  w1  u>2).  The  auxiliary  expressions  for  u  consist 
of  the  equalities  (*  u  w:)  and  (■  u  w%).  The  meaning  postulates  for  u 
consist  of  the  following  two  clauses 


V  ??(■  u  vti ) 

V  Tt(»  u  iwj ) 

These  two  clauses  state  that  if  $  is  true  then  u  equals  wi  and  if  $  is  false 
then  u  equals  W2- 

Let  u  be  the  quotation  (QUOTE  symbol ).  The  node  n„  is  a  quotation 
node  and  any  labeling  which  equates  distinct  quotation  nodes  is  taken  to 
be  explicitly  contradictory.  The  auxiliary  expressions  for  u  consist  of  the 
single  formula  (IS  u  SYMBOL)  and  the  meaning  postulates  for  u  consist  of  a 
singleton  clause  which  states  that  this  formula  is  true. 
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The  meaning  postulates  for  expressions  of  the  form  (THE-SET-OF-ALL  r) 
and  (THE-RULE  /)  provide  meanings  for  the  types  SET  and  RULE;  every  reified 
predicate  is  a  set  and  every  reified  function  is  a  rule.  Furthermore  the  type 
SYMBOL  is  defined  by  the  meaning  postulates  for  quotations.  The  type  THING 
is  the  universal  type  and  the  type  expression  THING  has  the  following  auxiliary 
expressions 

(IS-EVERY  SET  THING) 

(FORALL  (xSET) 

(IS-EVERY  (MEMBER-OF  xSET)  THING)) 

(IS-EVERY  RULE  THING) 

(IS-EVERY  SYMBOL  THING) 

The  meaning  postulates  for  the  type  THING  consist  of  three  singleton  clauses 
which  state  that  each  of  the  above  formulas  is  true. 

The  type  generator  EQUAL-TO  has  the  following  auxiliary  expression. 


$ 
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(=  EQUAL-TQ 

(LAMBDA  (Xth1’0) 

(EITHER  Xth1*0  Xth11®))) 

The  meaning  postulates  for  EQUAL-TO  consist  of  a  single  clause  which  states 
that  the  above  formula  is  true.  EQUAL-TO  has  been  listed  as  a  primitive  type 
generator  because  formulas  of  the  form 

(IS  u  (EQUAL-TO  w )) 

generate  equality  links;  these  equality  links  would  not  be  generated  if  EQUAL-TO 
was  defined  rather  than  taken  as  a  primitive. 

The  type  generator  SUBSET-OF  has  the  following  auxiliary  expression. 

(=  SUBSET-OF 
(LAMBDA  (xSET) 

(LAMBDA  (j/SET) 

(IS-EVERY  (MEMBER-OF  ySET) 

(MEMBER-OF  x3BT))))) 
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The  meaning  postulates  for  SUBSET-QF  consist  of  a  single  clause  which  states 
that  the  above  equivalence  is  true.  SUBSET-OF  has  been  listed  as  a  primitive 
type  generator  because  it  is  syntactically  small;  the  equivalent  A-expression 
given  above  is  not  syntactically  small. 

The  type  generator  RULE- BETWEEN  has  the  following  auxiliary  expression. 

(=  RULE-BETWEEN 

(LAMBDA  ( zSET  ySET) 

(LAMBDA  (zauLE) 

(AND  (-  (RULE-DOMAIN  zauu) 
xSET) 

(FORALL  (^"EHBa-OF  rSET)} 

(IS  ((THE -FUNCTION  z*"1-8) 

^(KEXBEl-OF  rS£T)) 

(MEMBER-OF  j/SET))))))) 

The  meaning  postulates  for  RULE-BETWEEN  consist  of  a  single  clause  which 
states  that  the  above  equivalence  is  true.  RULE-BETWEEN  has  been  listed  as 
a  primitive  type  generator  because  it  is  syntactically  small;  the  equivalent 
A-expression  given  above  is  not  syntactically  small. 

The  meaning  postulates  for  Boolean  connectives  are  given  in  table  4.1  in 
chapter  const-prop-chap. 


7.6  Summary 


The  Ontic  compiler  converts  a  set  E  of  expressions  in  the  Ontic  Language 
to  an  Ontic  graph  (7(E).  There  is  a  one  to  one  correspondence  between  the 
nodes  in  (7(E)  and  a  set  C(E)  of  Ontic  expressions  where  C(E)  contains 
E  as  a  subset.  The  compilation  process  is  specified  in  terms  of  meaning 
postulates  which  are  defined  on  a  case  by  case  basis  for  the  various  kinds  of 
Ontic  expressions. 

The  compilation  process  is  incremental;  if  S'  is  an  incremental  extension 
of  E  then  G(E')  can  be  constructed  as  an  incremented  extension  of  (7(E). 
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When  a  new  expression  is  typed  to  the  top  level  Ontic  interpreter  new  graph 
structure  is  incrementally  added  to  represent  that  expression.  When  the 
system  focuses  on  a  term  u  of  type  r  it  is  sometimes  necessary  to  create  a 
new  variable  of  type  r  to  bind  to  u.  When  a  new  variable  is  created  new 
graph  structure  is  automatically  constructed  to  represent  that  variable. 
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Chapter  8 


Some  Potential  Applications 


There  are  two  ways  of  evaluating  the  ideas  used  in  the  Ontic  system.  First, 
one  can  attempt  to  evaluate  the  utility  of  the  ideas  in  constructing  useful 
systems.  Second,  one  can  attempt  to  evaluate  the  extent  to  which  Ontic’s 
inference  mechanisms  provide  a  plausible  model  of  human  mathematical  cog¬ 
nition.  This  chapter  addresses  the  first  evaluation  technique  by  presenting 
a  list  of  potential  applications  of  automated  inference  systems.  The  appli¬ 
cations  on  this  list  represent  directions  for  future  research;  the  limitations 
of  Ontic’s  object  oriented  inference  techniques  in  these  applications  are  not 
currently  understood  and  future  research  may  uncover  other  inference  tech¬ 
niques  which  make  these  applications  practical. 


One  potential  application  for  automated  inference  systems  is  simply  the 
verification  of  mathematical  arguments;  an  author  could  increase  his  con¬ 
fidence  in  the  correctness  of  a  proof  using  machine  verification.  The  time 
required  to  “debug”  the  formal  representation  of  proofs  in  the  Ontic  system 
seems  to  make  this  application  impractical  at  the  current  time.  However, 
as  the  inference  power  of  the  system  is  increased,  and  the  lemma  library  is 
made  larger,  tbe  system  may  approach  the  point  where  machine  verification 
of  new  mathematics  is  practical. 


Automated  inference  mechanisms  are  needed  in  the  construction  of  in¬ 
teractive  knowledge  bases.  The  Ontic  system  is  able  to  automatically  use 
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information  from  a  lemma  library.  An  Ontic  system  based  on  a  lemma  li¬ 
brary  that  contained  the  contents  of  a  mathematical  textbook  could  answer 
certain  questions  about  the  contents  of  that  book.  Such  an  interactive  text¬ 
book  might  be  valuable  in  education.  If  the  system  could  be  made  to  run 
with  a  very  large  lemma  library,  a  library  containing  the  contents  of  many 
textbooks,  one  could  construct  an  interactive  mathematical  encyclopedia. 
An  interactive  encyclopedia  could  be  used  by  professional  mathematicians  to 
answer  questions  and  verify  arguments  in  domains  that  were  not  familiar  to 
the  human  user. 

Automated  inference  systems  might  also  be  useful  in  constructing  inter¬ 
active  documentation  systems.  A  computer  operating  system,  for  example,  is 
usually  associated  with  a  large  amount  of  documentation.  It  may  be  possible 
to  translate  this  documentation  into  first  order  axioms  that  can  serve  as  a 
emrna  library  underlying  an  inference  system.  One  would  then  have  a  de¬ 
vice  for  answering  questions  about  the  documented  system.  The  problem  of 
answering  questions  about  engineered  devices  seems  similar  to,  but  possibly 
more  difficult  them,  the  problem  of  answering  questions  about  the  material 
in  a  mathematical  textbook. 

Ontic’s  object  oriented  inference  mechanism  may  be  useful  for  program 
verification.  Ontic’s  type  system  is  similar  to  the  type  systems  of  strongly 
typed  programming  languages.  With  sufficiently  expressive  types  there  is  no 
distinction  between  type  checking  and  verification;  any  verification  problem 
for  a  computer  program  can  be  phrased  as  a  type-checking  problem.  Ontic’s 
object-oriented  inference  mechanisms  are  organized  around  types.  It  would 
be  interesting  to  explore  the  application  of  Ontic’s  object-oriented  inference 
mechanisms  to  program  verification  where  verification  is  viewed  as  a  form  of 
type-checking. 

Another  possible  application  for  Ontic’s  object-oriented  inference  mech¬ 
anisms  is  common  sense  reasoning.  In  his  naive  physics  manifesto  Hayes 
proposed  writing  down  first  order  axioms  which  express  common  sense  knowl¬ 
edge  about  the  physical  world  [Hayes  85].  One  might  object  to  Hayes’  pro¬ 
posal  on  the  grounds  that  first  order  inference  is  intractable.  It  is  clear, 
however,  that  certain  limited  inferences  can  be  done  quickly.  It  would  be 
interesting  to  explore  the  application  of  Ontic’s  inference  mechanisms  to  rea- 
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soning  about  common  sense  situations.  Another  objection  to  Hayes’  proposal 
is  that  much,  if  not  most,  common  sense  reasoning  is  heuristic:  the  conclu¬ 
sions  are  not  strictly  implied  by  the  given  information.  The  final  section  of 
this  chapter  suggests  a  way  in  which  Ontic’s  object  oriented  inference  mech¬ 
anisms  could  be  extended  to  perform  certain  forms  of  heuristic  reasoning. 


8.1  Interactive  Knowledge  Bases 


Ontic’s  object-oriented  inference  mechanisms  are  designed  to  automatically 
access  a  large  lemma  library.  By  placing  various  kinds  of  information  in  the 
knowledge  base  underlying  an  Ontic-like  system  one  could  construct  inter¬ 
active  mathematical  textbooks,  interactive  mathematical  encyclopedias,  and 
interactive  technical  documentation  libraries. 

Access  to  information  in  Ontic’s  lemma  library  is  controlled  via  types: 
the  inference  mechanism  accesses  only  those  portions  of  the  lemma  library 
that  concern  types  which  apply  to  the  given  focus  objects.  For  example, 
when  reasoning  about  graphs  the  system  automatically  ignores  facts  about 
differentiable  manifolds.  Thus  the  lemma  library  could  include  information 
about  a  large  number  of  different  subjects  and  still  be  used  effectively. 

There  are  several  ways  one  could  use  an  interactive  mathematical  ency¬ 
clopedia.  First,  the  encyclopedia  could  be  used  to  answer  questions  about 
areas  of  mathematics  that  are  unfamiliar  to  the  user.  Second,  the  encyclo¬ 
pedia  could  verify  a  user’s  argument.  This  would  be  especially  useful  when 
the  human  user  is  unfamiliar  with  the  subject  matter  of  his  own  argument. 
Finally,  a  mathematician  who  develops  a  new  concept  could  ask  the  system 
if  that  concept  has  already  been  defined  under  some  other  name. 

Recognizing  user-defined  concepts  is  particularly  difficult;  there  may  be 
a  defined  concept  in  the  encyclopedia  which  is  “essentially  the  same”  as  a 
user-defined  concept  but  the  two  definitions  are  technically  different.  For 
example,  consider  the  concept  of  an  equivalence  relation.  An  equivalence 
relation  can  be  defined  as  a  relation,  i.e.  a  set  of  pairs,  which  is  symmetric, 
transitive,  and  reflexive.  Alternatively,  an  equivalence  relation  can  be  defined 


220 


CHAPTER  S.  SOME  POTEXTTAL  APPLICATION ' 


as  a  partition  of  a  set  into  equivalence  classes.  These  two  definitions  seem 
to  define  the  same  concept  and  yet  the  two  classes  are  technically  disjoint:  a 
partition  is  different  from  a  set  of  pairs.  It  turns  out  that  one  can  define  a 
very  general  notion  of  iso-ovticity  under  which  equivalence  relations  (as  sets 
of  pairs)  are  iso-ontic  to  partitions  [McAllester  83],  There  are  many  other 
examples  of  iso-onticities  between  classes.  For  example  a  function  /  of  two 
arguments  defines  a  Curried  function  /'  such  that  for  for  all  arguments  x  and 
y ,  the  application  /'(x)  yields  a  function  such  that 

fix,  y )  =  f'(x)(y) 

The  function  /  is  iso-ontic  to  its  curried  version  /'.  As  another  example 
consider  a  graph.  A  graph  can  be  defined  in  two  ways:  a  graph  can  be 
defined  as  a  set  of  nodes  together  with  a  set  of  arcs  where  each  arc  is  a  set  of 
two  nodes.  Alternatively,  a  graph  could  be  defined  as  a  set  of  nodes  together 
with  a  symmetric  anti-reflexive  binary  relation  on  those  nodes.  A  relation, 
i.e.  a  set  of  pairs,  is  different  from  a  set  of  arcs,  i.e.  a  set  of  sets.  A  set  of 
two-elements  sets,  however,  is  iso-ontic  to  a  symmetric  anti-reflexive  binary 
relation.  There  are  many  examples  of  iso-onticities  in  mathematics.  Ideally 
an  interactive  encyclopedia  would  recognize  when  a  user-defined  concept  is 
iso-ontic  to  a  concept  that  already  exists  in  the  encyclopedia. 


8.2  Software  Verification 


Type  checking  has  proved  to  be  a  practical  way  >tt  finding  certain  errors  in 
computer  programs.  Currently  available  type  checking  systems  use  a  weak 
vocabulary  of  types  —  there  is  no  way  to  treat  an  arbitrary  predicate  as  a 
data  type.  If  the  type  vocabulary  is  made  richer  then  stronger  “semantic” 
properties  of  programs  can  be  expressed  as  type  constraints.  In  fact,  if  any 
predicate  on  data  structures  can  be  expressed  as  a  type  then  any  semantic 
specification  for  a  computer  program  can  be  expressed  as  type  restrictions. 
For  example,  if  iteration  is  replaced  by  recursion  then  a  programmer  can 
provide  loop  invariants  simply  by  placing  type  restrictions  on  the  arguments 
of  recursive  functions. 

If  arbitrary  predicates  on  data  structures  can  be  expressed  as  types  then 
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type  checking  requires  theorem  proving.  One  might  argue  that,  because  the¬ 
orem  proving  is  intractable,  one  should  not  use  fully  expressive  type  systems. 
This  criticism  carries  little  weight,  however,  if  one  is  willing  to  allow'  type 
checking  to  fail.  A  failure  to  type  check  simply  means  that  the  system  failed 
to  prove  the  program  correct:  it  does  not  mean  that  the  program  is  wrong. 
Since  Ontic's  object-oriented  theorem  proving  mechanisms  are  guaranteed  to 
terminate  quickly,  a  type  checking  system  based  on  Ontic’s  theorem  prov¬ 
ing  mechanisms  could  also  be  made  to  terminate  quickly.  Programs  which 
fail  to  type  check  arc  classified  as  “not  obviously  correct”.  Since  the  On¬ 
tic's  inference  mechanisms  can  automatically  use  a  large  lemma  library,  the 
power  of  a  type  checker  based  on  Ontic  could  always  be  increased  by  adding 
more  lemmas.  Such  lemmas  could  either  be  proved  from  first  principles  or 
simply  added  as  axioms.  Adding  lemmas  should  cause  more  programs  to  he 
classified  as  obviously  correct. 

Type  checking  has  already  been  demonstrated  to  be  practical  for  certain 
restricted  type  vocabularies.  It  seems  likely  that  type  checking  using  more 
expressive  types  would  be  equally  practical  in  the  sense  that  all  types  which 
are  checked  by  existing  systems  could  still  be  checked  in  the  more  general 
setting.  A  system  with  fully  expressive  types  could  gradually  be  extended 
to  incorporate  more  powerful  inference  techniques  under  the  constraint  that 
type  checking  terminates  quickly. 


8.3  Common  Sense  and  Default  Reasoning 


Hayes  has  proposed  using  first  order  logic  as  a  language  for  representing 
common  sense  knowledge  about  the  physical  world  [Hayes  85j.  One  possible 
objection  to  first  order  logic  as  a  representation  language  is  that  theorem 
proving  is  intractable.  It  would  be  interesting  to  see  if  Ontic’s  object  ori¬ 
ented  theorem  proving  mechanisms  could  be  used  to  answer  common  sense 
questions  about  the  physical  world  using  a  formal  fact  library. 

Another  objection  to  first  order  logic  as  a  knowledge  representation  lan¬ 
guage  is  that  common  sense  reasoning  is  often  heuristic:  heuristic  reasoning 
produces  conclusions  which  are  likely,  but  not  necessarily  true.  This  observa- 
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tion  lias  lead  to  the  development  of  default  logics  and  semantic  network  for¬ 
malisms  that  allow  the  cancellation  of  inheritance  links  [Fahlman  79]  [Ether- 
ington  &  Reiter  S3].  It  seems  likely  that  Ontic’s  object  oriented  inference 
mechanisms  could  be  extended  to  handle  certain  kinds  of  heuristic  inference. 
Ontic's  inference  mechanisms  are  organized  around  types.  It  seems  plausible 
that  heuristic  knowledge  could  also  be  organized  around  types.  More  specif¬ 
ically  one  could  introduce  the  quantifier  FORMOST  which  is  analogous  to  the 
quantifier  FQRALL.  One  could  then  write  axioms  such  as  the  following 

(FORMOST  ((X  BIRD))  (IS  X  FLYING-ANIMAL)) 

One  can  assign  truth  values  to  FORMOST  formulas  by  associating  each  type 
with  a  probability  distribution  over  instances  of  that  type.  In  general,  a 
formula  of  the  form 

(FORMOST  ((x  r))  $(x)) 

is  true  just  in  case  the  fraction  of  instances  of  type  r  which  satisfy  <fr(x) 
is  above  some  threshold  a.  If  the  threshold  a  is  large,  say  95%,  then  a 
reasoning  system  might  perform  heuristic  inferences  by  treating  FORMOST  the 
same  way  it  treats  FORALL:  given  that  most  birds  fly,  and  Tweety  is  a  bird, 
the  system  would  “deduce”  that  Tweety  flies.  The  facts  that  Tweety  is  a 
bird  and  that  most  birds  fly  do  not  imply  that  Tweety  flies,  or  even  that 
it  is  likely  that  tweety  flies,  whatever  that  means.  People,  however,  will 
naturally  conclude  that  Tweety  probably  flies.  Thus  heuristic  inference  is 
not  semantically  sound.  However,  unsound  heuristic  inference  seems  to  be 
useful. 

The  following  example  indicates  that  inclusion  relationships  between  types 
play  an  important  role  in  human  heuristic  reasoning.  I  will  use  the  expression 

(ARE-MOST  r  a) 

as  an  abbreviation  for 

(FORMOST  (( x  r))  (IS  x  a)) 

The  following  “inheritance  network”  concerning  molluscs  is  adapted  from 
[Etherington  &  Reiter  83]. 


(ARE-MOST  MOLLUSC  SHELL-BEARER) 
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(IS -EVERY  CEPHALOPOD  MOLLUSC) 

(ARE-MOST  CEPHALOPOD  (NOT-TYPE  SHELL-BEARER)) 

(IS-EVERY  NAUTILUS  CEPHALOPOD) 

(IS -EVERY  NAUTILUS  SHELL-BEARER) 

Given  the  above  information  together  with  the  statement  that  Squirmy 
is  a  mollusc  one  would  naturally  conclude  that  Squirmy  is  probably  a  shell- 
bearer.  If  one  is  then  told  that  Squirmy  is  a  cephalopod  one  would  conclude 
that  Squirmy  is  probably  not  a  shell-bearer.  Note  that  in  this  second  case 
there  is  a  conflict  between  two  FORMOST  assertions  that  apply  to  Squirmy: 
most  molluscs  have  shells  but  most  cephalopods  do  not  have  shells.  In  this 
case  the  known  inclusion  relationship  between  the  types  CEPHALOPOD  and 
MOLLUSC  seems  to  resolve  the  conflict.  Finally,  if  one  is  told  that  Squirmy  is 
a  nautilus  one  would  in  fact  know,  according  to  the  above  information,  that 
Squirmy  is  a  shell  bearer. 

If  a  reasoning  system  treats  FORMOST  assertions  in  the  same  way  that 
it  treats  FORALL  assertions  it  will  perform  unsound  inferences.  In  particu¬ 
lar,  each  universal  instantiation  of  a  FORMOST  assertion  is  unsound.  If  some 
unsound  FORMOST  instantiation  produces  a  conclusion  which  conflicts  with 
known  information  then  that  unsound  instantiation  inference  should  b?  re¬ 
tracted.  Furthermore,  if  two  unsound  instantiations  of  FORMOST  assertions  are 
mutually  contradictory,  and  there  is  an  inclusion  relation  between  the  types 
quantified  over  in  the  two  FORMOST  assertions,  then  the  FORMOST  assertion 
with  the  more  specific  type  should  dominate  and  the  unsound  instantiation 
of  the  other  r  ORMOST  assertion  should  be  retracted.  More  research  is  needed 
to  determine  if  these  guidelines  lead  to  an  efficient  and  useful  heuristic  rea¬ 
soning  system. 


Chapter  9 


A  Summary  of  Ontic 


The  Ontic  system  has  the  following  features: 

•  The  Ontic  formal  language  is  organized  around  a  rich  vocabulary  of 
types. 

-  There  are  many  different  ways  of  constructing  type  expressions. 
Any  predicate  of  one  argument  is  a  type.  Type  generators  can  be 
applied  to  arguments  to  yield  types.  There  are  special  constructs 
such  as  WRITABLE-AS  for  constructing  types  from  terms.  Types 
can  be  combined  with  Boolean  combinators  to  yield  other  types. 

—  There  are  many  different  ways  of  using  types.  Types  are  used  as 
predicates  in  formulas  of  the  form  (IS  x  r).  Types  restrict  the 
range  of  quantifiers.  A  type  can  be  used  to  construct  a  term  via 
the  operator  THE.  A  type  can  be  used  to  construct  a  set  via  the 
operator  THE-SET-GF-ALL.  Types  can  be  directly  related  via  the 
combinator  IS-EVERY. 

-  Types  play  a  central  role  in  Ontic’s  object-oriented  inference  mech¬ 
anisms. 

•  Most  of  the  axioms  of  Zermelo  Fraenkel  set  theory  are  incorporated  into 
the  syntactic  definition  of  a  small  type  expression  and  a  small  function 
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expression;  type  and  function  expressions  which  are  syntactically  small 
can  be  reified  via  the  operators  THE-SET-OF-ALL  and  THE-RULE  respec¬ 
tively. 

•  Many  modern  theorem  provers  are  based  on  some  kind  of  backward 
chaining  rewrite  mechanism  guided  by  a  notion  of  simplification.  On- 
tic  is  based  on  a  forward  chaining  mechanism  guided  by  a  notion  of 
focus.  Ontic’s  forward  chaining  inference  process  is  restricted  to  for¬ 
mulas  which  are  about  a  given  set  of  focus  objects. 

•  Ontic  automatically  finds  and  applies  information  from  a  large  lemma 
library.  The  Ontic  system  classifies  each  focus  object  by  findings  types 
that  are  true  of  that  object.  If  a  focus  object  x  is  classified  as  being 
an  instance  of  type  r  then  the  system  automatically  applies  knowledge 
about  the  type  r  to  the  focus  object  x. 

•  Ontic’s  inference  mechanisms  are  implemented  as  labeling  operations 
on  a  graph  structure.  The  graph  structure  represents  a  compiled  version 
of  the  lemma  library  and  is  analogous  to  a  semantic  network.  The  graph 
labeling  process  implements  a  virtual  copy  mechanism  whereby  a  focus 
object  becomes  a  virtual  copy  of  a  generic  individual. 

•  Ontic  performs  automatic  universal  generalization  as  part  of  its  for¬ 
ward  chaining  inference  process.  In  universal  generalization  the  generic 
individuals  in  Ontic’s  graph  structure  are  analogous  to  the  Skolem  con¬ 
stants  introduced  in  a  resolution  theorem  prover  by  a  universally  quan¬ 
tified  goal  formula.  At  other  times  the  same  generic  individuals  are  used 
as  universal  variables  which  get  instantiated  with  (bound  to)  focus  ob¬ 
jects.  At  still  other  times  generic  individuals  act  as  Skolem  constants 
introduced  by  existential  premises.  The  types  associated  with  generic 
individuals  are  central  to  the  automatic  universal  generalization  mech¬ 
anism:  the  types  determine  the  range  of  applicability  of  the  derived 
universal  statement. 

It  is  not  clear  which  of  the  above  features  are  most  responsible  for  the 
power  of  the  Ontic  system.  Some  features  are  orthogonal  to  others.  For 
example,  the  reification  operations  THE-SET-OF-ALL  and  THE-RULE  could  be 
removed  from  the  system:  no  other  feature  of  the  system  depends  on  the 


reification  operators.  Similarly,  the  universal  generalization  mechanism  could 
be  removed  without  effecting  any  other  mechanism.  Other  features  are  less 
modular. 

It  would  probably  be  possible  to  find  some  object-oriented  forward  chain¬ 
ing  inference  mechanism  that  does  not  use  graph-labeling.  Such  a  mecha¬ 
nism  would  be  restricted  so  that  variables  are  only  instantiated  with  focus 
objects.  Implementing  congruence  closure  and  automatic  universal  general¬ 
ization,  however,  might  be  difficult  in  a  system  that  was  based  on  formula 
manipulation  rather  than  graph  labeling. 

On  the  other  hand,  one  can  image  a  graph-labeling  inference  mechanism 
not  guided  by  focus  objects.  In  such  a  system  bindings  for  generic  individuals 
would  be  generated  in  some  other  way.  Early  versions  of  the  Ontic  system 
used  graph-labeling  inference  mechanisms,  including  a  virtual  copy  mecha¬ 
nism  based  on  binding  generic  individuals,  but  did  not  use  focus  objects  to 
guide  the  binding  process.  These  early  versions  of  the  system  did  not  per¬ 
form  well.  User-specified  focus  objects  seem  to  be  central  to  the  operation 
of  Ontic. 

All  of  the  features  of  the  Ontic  system  utilize  types.  In  addition  to  provid¬ 
ing  concise  and  natural  formulas,  types  are  central  to  accessing  information 
in  the  lemma  library,  binding  generic  individuals,  automatic  universal  gen¬ 
eralization,  and  reification.  It  is  difficult  to  imagine  any  version  of  the  Ontic 
system  not  organized  around  types. 

Knowledge  representation  and  automated  inference  may  ultimately  have 
a  profound  effect  on  our  society.  Interactive  encyclopedias  may  some  day  be 
able  to  answer  questions  about  a  large  fraction  of  human  knowledge.  Such 
encyclopedias  would  make  all  current  forms  of  publication  obsolete.  Thus, 
however  the  future  judges  the  ideas  presented  here,  I  hope  that  research  in 
inference  and  knowledge  representation  will  continue. 


Appendix  A 

The  Stone  Representation 
Theorem 


This  appendix  contains  a  complete  listing  of  a  mathematical  development 
which  starts  with  a  foundational  system  equivalent  to  ZFC  set  theory  and 
ends  with  a  proof  of  the  Stone  representation  theorem.  The  listing  contains 
three  types  of  information:  the  definitions  of  all  non-primitive  terms  used  in 
the  development,  the  lemmas  proven,  and  the  machine  verified  proof  of  each 
lemma.  Definitions  appear  centered  on  the  page  while  lemmas  are  shown  in 
a  left  hand  column  next  to  their  proofs  which  appear  in  a  right  hand  column. 
The  “proofs”  are  actually  recorded  histories  of  interactions  with  the  Ontic 
interpreter. 

The  listing  is  cumulative;  at  each  point  in  the  listing  the  system  has  access 
to  all  definitions  and  lemmas  presented  earlier  in  the  listing.  At  any  given 
point  in  the  listing  the  definitions  and  lemmas  given  prior  to  that  point  are 
stored  in  a  fact  library  that  is  accessed  automatically  by  the  system.  At 
the  end  of  the  listing  the  accumulated  fact  library  contains  509  facts;  154 
definitions  and  355  lemmas. 

The  listing  is  divided  into  sections  each  of  which  begins  with  an  English 
description  of  the  contents  of  that  section.  The  first  four  sections  introduce 
basic  notions  from  set  theory  such  as  singleton  and  doubleton  sets,  unions 
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Section 

Number  of  Facts 

Fundamentals 

95 

Pairs,  Rules  and  Structures 

39 

Maps 

75 

Relations,  Choice  and  Relation  Structures 

45 

Partial  Orders  and  Zorn’s  Lemma 

68 

Lattices 

48 

Bounded,  Distributive,  and  Complemented  Lattices 

40 

Sublattices 

<■»  r 

uO 

Lattice  Morphisms 

25 

Filters  and  Ultrafilters 

18 

The  Stone  Representation  Theorem 

21 

Total 


509 


Table  A.l:  The  number  of  facts  in  each  section 

and  intersections,  pairs,  relations,  structures,  and  functions.  These  first  four 
sections  contain  254  facts;  roughly  half  the  total.  The  remaining  sections 
develop  facts  about  partial  orders,  lattices,  filters  in  lattices,  and  the  Stone 
representation  theorem.  Table  A.l  shows  the  number  of  facts  in  each  section. 
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A.l  Fundamentals 


This  section  contains  basic  facts  about  sets.  More  specifically  this  section 
contains: 


•  A  proof  of  the  existence  and  uniqueness  of  the  empty  set. 

•  Facts  about  inserting  objects  into  sets. 

•  Facts  about  singleton  and  doubleton  sets. 


•  A  version  of  Russel’s  paradox  that  proves  that  for  every  set  there  exists 
something  not  in  that  set. 


•  Facts  about  families  of  sets. 

•  Facts  about  unions  and  intersections  of  sets. 

•  Facts  about  removing  objects  from  sets. 

•  Facts  about  power  sets. 


We  begin  with  the  empty  set: 


(DEFTYPE  EMPTY-SET 
(LAHBD*  CCS  SET)) 

CIOT 

(EIISTS-SOHE 

(HEHBER-OF  S))})) 


O.E1DU  (EIISTS-SOHE  EHPTY-SET)) 


(II-COITEIT 

((PUSH-SOIL  (EIISTS-SOHE  EHPTY-SET)) 
(LET-BE  S  SET) 

(LET-BE  32 

(THE-SET-0F-1LL  (I  (HEHBER-OF  S)) 
(HOT  (-  I  X))))) 

(I0TE-G01L) ) 


(LEMHI  (1T-HQST-0HE  EMPTY-SET)) 


(II-COrTEXT 

((LET-BE  SI  EMPTY-SET) 

(LET-BE  S2  EHPTY-SET)) 

(I0TE  (IT-HOST-OIE  EHPTY-SET))) 


»  *  p  T  k  P.  \ 
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'!5EFTEKH  THE-EMPTY-SET 
(THE  EMPTY-SET)) 


(LEMHI 

(IQT 

(KXISTS-SOHE 

(HEHBER-OF  T3E-EHPTY-SET) ) ) ) 


(ii-correrr 

((LET-BE  S  THE-EMPTY-SET)) 

(VOTE 

(IDT 

(EXISTS-SQHE 

(MEMBER-OF  THE-EMPTY-SET))))) 


(DEFTERM  (IISERT  (I  THIIG)  <S  SET)) 
(THE-SET-OF-ALL 

(OR  -TYPE  (EQUAL-TO  I’ 

(KEHBER-OF  S>))> 


(LEMMA 

(FORALL  ((Y  THIIG) 
(S  SET)) 

(IS  (IISERT  Y  S) 
*  SET))) 


(LEMMA 

(FQRALL  ((I  THIIG) 

(Y  THIIG) 

(S  SET)) 

(IS  (IISERT  X  (IISERT  Y  S)) 
SET))) 


(LEMMA 

(FORALL  ( (Y  THIIO) 

(X  THIIO) 

(S  SET)) 

(*■  (IISERT  X  (IISERT  Y  t'l) 
(IISERT  Y  (IISERT  I  Si)))) 


(II-COITEXT 

((LET-BE  Y  THUG) 

(LET-BE  X  THIIG) 

(LET-BE  S  SET) 

(LET-EE  IY  (IISERT  Y  S>) 

(LET-BE  IXY  (IISERT  I  IY))) 

(ROTE  (IS  IY  SET)) 

(IOTE  (IS  IXY  SET)) 

(II-COITEXT 

((LET-BE  IX  (IISERT  IS)) 

(LET-BE  IYX  (IISERT  Y  IX)) 

(PUSH-GOAL  (-  IXY  IYX))) 

(II-COITEXT 

((PUSH-GOAL  (IS  IXY  (SUBSET-OF  IYX)))) 
(II-COITEXT 

((LET-BE  Z  (MEMBER-OF  IXY))) 
(II-CQITEXT 

((PUSH-GOAL  (IS  Z  (MEMBER-OF  IYI)))) 
(II-COITEXT 

( (suppose  (>n)» 

(■□te-ooal) ) 

(II-COITEXT 

((SUPPOSE  (»  Z  Y)» 

(IOTE-OOAL)) 

(IOTE -GOAL))) 

(lOTE+GEIEULIZE-GOAL) ) 

(I0TK-G0AL))) 


m 


m 


A.l.  FUXDAUESTALS 


(LEMHI 

CFO RILL  CCS  SET 

(E1ISTS-S0ME 

CKEHBER-OF  S>  5  > 
(X  (KEHBER-OF  S)) 

CS2  (SUBSET-OF  S) >> 
CIS  CIISERT  X  S2) 

(SUBSET-QF  S)))) 


(I1-C0ITEXT 

CCLET-BE  S  SET 

CEXISTS-SOME  CMEMBER-OF  S))) 
CLET-BE  S2  CSUBSET-QF  S)) 

CLET-BE  X  CHEMBER-OF  S)) 

CLET-BE  SX2  CIISERT  X  S2)) 

(FUSH-GOAL  (IS  SX2  CSUBSET-QF  S)))> 
CII-COITEXT 

(CLET-BE  Y  CMEMBER-OF  SX2) ) ) 
(II-COITEIT 

( (PUSH-GOIL  (IS  Y  CMEMBER-OF  S)>)> 
CII-COITEXT 

((SUPPOSE  (IS  Y  CHEMBER-OF  S2>))) 
(IOTE-GOAL)) 

(IOTE-GOAL) ) 

CIOTE-GOIL))) 


(LEMMi 

(FORALL  (Cl  THUG)  (S  SET)) 

(«■  CIISERT  X  S) 

CIISERT  X 

CIISERT  X  S))))) 


CII-COITEXT 

CCLET-BE  I  THUG) 

CLET-BE  S  SET) 

CLET-BE  S2  CIISERT  X  S)> 

CLET-BE  S3  CIISERT  X  S2)) 

C PUSH-GOAL  (•  S2  S3))) 

CII-COITEXT 

((PUSH-GOAL  (IS  S3  (SUBSET-QF  S2)>) 
CLET-BE  Y  CHEMBER-OF  S3))) 
(II-COITEXT 

C (PUSH-GOAL  CIS  Y  CMEMBER-OF  S2)))) 
(II-COITEXT 

((SUPPOSE  C-  Y  X))) 

(IOTE-OOAL)) 

(IOTE-GOAL)) 

(IOTE-OOAL)) 

(IOTE-GOAL)) 


The  TEFNQTATION  construct  allows  the  user  to  define  macros.  The  fol¬ 
lowing  form  defines  the  operator  MAKE-SET  so  that  (MAKE-SET  X)  abbrevi¬ 
ates  (INSERT  X  THE-EMPTY-SET)  and  (MAKE-SET  XI  X2  . .  .XN)  abbreviates 
(INSERT  XI  (MAKE-SET  X2...XN)). 


(DEFIGTATXOI  CHASE-SET  AREST  ELEXEITS) 

(IF  CIULL  EL  EMEUS) 

'THE-EMPTY-SET 
‘CIISERT  .(CAR  ELEMEI’S) 

(HAIE-SET  . 9<CDR  ELEHEITS) ) ) ) ) 


W.V.V.WV ' 
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(II-COITEXT 

((LET-BE  X  THUG) 

(LET-BE  E  THE-EKPTT-SET)) 

CIQTE  CIS  (IISE&T  I  El  SET)) 

(IOTE  (IS  I  (HEHBER-OF  (IISERT  I  E)))) 
(II-COITEXT 

( (LET-BE  Y  (HEHBER-OF  (IISERT  1  E)))) 
(IOTE  (*  X  Y)))) 


(LEHHA 

(F0R1LL 

((X  THUG) 

(Y  (HEHBER-OF  (KIKE-SET  X)))) 
(-  I  Y))) 


(LEHHA 

(F0R1LL  ((I  THIIG)) 

(IS  (HARE-SET  I)  SET))) 

(LEKKA 

(FORALL  ((I  THUG)) 

(IS  X  (HEHBER-OF  (HAKE-SET  X))))) 


(DEFTTPE  SIIGLETOI-SET 
(WRITABLE-AS  (HAKE-SET  X) 
(X  THUG))) 


(LEHHA  (FORALL  ((S  SIIGLETOI-SET)) 
(IS  S  SET))) 


(LEHHA  (FORALL  ((SI  SIIGLETOI-SET)) 

(EXISTS-SOHE  (HEHBER-OF  SI)))) 


(LEHHA  (FORALL  ((SI  SIIGLETOI-SET)) 

(AT-HOST-OIE  (HEHBER-OF  SI)))) 


(LEHHA 

(FORALL  ((S  SET)) 

(->  (EXACTLY-OIE  (HEHBER-OF  3)) 

(*  S 

(HAKE-SET 

(THE  (HEHBER-OF  S))))))) 


(LEHHA 

(FORALL  ((S  SET)) 

(*>  (EXACTLY-OIE  (HEHBER-OF  S)) 
(IS  S  SIIGLETOI-SET)))) 


(II-COITEXT 

((LET-BE  SI  SIIGLETOI-SET) 

(URITE-AS  SI  (HAXE-SET  X) 

(X  THIIG))) 

(IOTE  (IS  SI  SET)) 

(IOTE  (EXISTS-SOHE  (HEHBER-OF  SI))) 
(II-COITEXT 

((LET-BE  Yl  (HEHBER-OF  Sl)> 

(LET-BE  T2  (HEHBER-OF  SI))) 

(IOTE  (AT-HOST-OIE  (HEHBER-OF  SI))))) 


(II-COITEXT 

((LET-BE  3  SET) 

(SUPPOSE  (EXACTLY-OIE  (HEHBER-OF  S))> 
(LET-BE  THE-KEHBER 

(TIE  (HEHBER-OF  S))) 

(LET-BE  32  (HAKE-SET  THE-MEHBER) ) ) 
(IOTE  (»  3  32)) 

(IOTE  (IS  S  SIIGLETOI-SET))) 


FUSDAMESTALS 


A.  I. 


(II-COITEXT 

((LET-BE  I  THUG) 

(LET-BE  T  THUG) 

(LET-BE  ST  (HARE-SET  Y)) 
(LET-BE  SIT  (IISERT  I  ST))) 
(IOTE  (IS  SIT  SET)) 

(IQTE  (IS  I  (HEHBER-OF  SIY))) 
(II-COITEXT 

( (LET-BE  2  (HEHEER-OF  SIY))) 
(IOTE  (OR  (■  Z  I) 

Y)))))  (■  Z  Y))))) 


(LEMMA 

(FORALL  ((I  THUG) 

(Y  THUG) 

(2  (HEHBER-OF 

(H1IE-SET  I  Y)))) 

(OR  (»  Z  I) 

(»  Z  T)))) 


(LEHHA 

(FORALL  ((I  THUG) 

(T  TIIIG)) 
(IS  (HUE-SET  I  T) 
SET))) 


(LEHHA 

(FORALL  ((Y  THUG) 

(I  THUG)) 

(IS  I  (HEHBER-OF  (HASE-SET  I 


(LEHHA 

(FORALL  (CT  THUG) 

(I  THUG)  ) 

(-  (HARE-SET  I  T) 
(HARE-SET  Y  I)))) 


(LEMMA 

(FORALL  ((Y  THUG) 

(I  THUG) 

(Z  TIIIG)) 

(-  (HARE-SET  X  T  Z) 
(HAIE-SET  Y  I  Z)))) 


(II-COITEXT 

((LET-BE  X  THUG) 

(LET-BE  T  THUG) 

(LET-BE  E  THE- EMPTY -SET)) 
(IOTE  (•  (HARE-SET  X  Y) 

(HAIE-SET  T  Li Si) 


(IM-COHTEXT 

((LET-BE  X  THIHG) 

(LET-BE  T  THIHG) 

(LET-BE  Z  THIHG) 
(PUSH-GOAL 

(-  (HAIE-SET  I  T  Z) 
(HARE-SET  T  I  Z)))) 
(II-COITEXT 

((LET-BE  S  (HARE-SET  Z)» 
(ROTE-GOAL))) 


(BEFTTPE  (IOT-EQUAL-TO  (X  THUG)) 
(LAHBDA  ( (T  THUG)) 

(IQT  (-  X  T)))) 
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(LEK1U 

(FORiLL  ((S  SET)) 

(EXISTS  CCZ  THUG) ) 

(IDT  (IS  X  (KEHBER-OF  S)))))) 


Pkradox: 

(ii-coiteit 

((LET-BE  S  SET) 

(SUPPOSE 

(EG RILL  C(I  TBIlG) ) 

(IS  I  (KEHBER-OF  S)))) 

(LET-BE  S2 

(THE-SET-OF-iLL 
(X  (KEHBER-OF  S)) 

(IQT  (IS  X  (KEHBER-OF  1)))))) 

(Il-COITEXT 

((SUPPOSE  (IS  $2  (KEKBE&-OF  'U))) 
(loTE-cornuoicrioi) ) 

(IOTE-COITR1EICTIOI) ) 


(LEKKi 

(FOR ILL  ((X  THUG)) 

(EXISTS-SOHE  (HOT-EqUlL-TO  I)))) 


(II-COITEXT 

((LET-BE  X  THUG) 

(LET-BE  SI  (K1XE-SET  I)) 

(LET-BE  T  THUG 

(HOT  (IS  Y  (KEHBER-OF  SX))))) 
(IOTE  (EXISTS-SOHE  (lOT-EQUiL-TO  X))>) 


(DEFTTPE  DUUdLETOI-SET 

(VRIT1BLE-AS  (KUE-STT  X  T) 
(X  THIIG) 

(T  ClOT-EQUiL-TL  ',)>) 


(LEKKi  (EXISTS-SOHE  DO0RLETOI-SET))  (II-COITEXT 

((LET-BE  X  THIIG) 

(LET-BE  Y  (IOT-EQUU.-TO  X))) 
(IOTE  (EXISTS-SOHE  DOUBLETOI-SLT) )  ) 


A.l.  FrXDAML'XTALS 


-•j 


(DEFTYPE  (OTHER-MEMBER  <S  SET)  (X  <HRHbER-0F  S))) 
(AID-TYPE  (MEMBER-OF  S)  (IOT-EQIUL-jO  X))) 


(LEMMA 

(FORALL  C(S  DOUBLETOI-SET)) 
(IS  S  SET))) 


(LEMMA 

(FORALL  CCS  DOUBLETS!- SET)) 
(I0T  (IS  S  SIIGLETOI-SET)))) 


(LEMMA 

(FORALL  CCS  DOUBLETOI-SET)) 
(EXISTS-SCBE  (MEMBER-OF  S)))) 


(LEMMA 

(FORALL  CCS  DOUBLETUl-SET) 

(Z  (MEMBER-OF  S>)) 
CEXISTS-SOHE  (OTHER-MEMBER  S  Z)))) 


(LEMMA 

(FORALL  CCS  DOUBLETOI-SET) 

(Z  (MEMBER-OF  S))) 
(AT-MOST-OIE  (OTHER-MEMBER  S  Z>>>) 


(LEMMA 

(FORALL  CCS  DOUBLETOI-SET) 

(Z  (HEHBER-OF  S)  )  ) 

(-  S 

(MAKE-SET 

Z 

(THE  (OTHER-MEMBERS  Z)))))) 


(If-CORTEXT 

(CLET-BE  S  DOUBLETOI-SET) 

(VRITE-AS  S  (MAXE-SET  X  T) 

(I  THUG) 

(Y  ( IOT-EQUAL-TO  I)))) 

(ROTE  (IS  S  SET)) 

(IOTE  (SOT  (IS  S  SIIGLETOI-SET))) 

(SOTE  (EIISTS-SOME  (MEMBER-OF  S))) 
(II-COITEXT 

((LET-BE  Z  (HE31BER-OF  S))) 

(II-COITEXT 

( (PUSH-GOAL 
(EIISTS-SOME 

(OTHER-MEMBER  £  Z)))) 

(II-COITEXT 

((SUPPOSE  (»  Z  I>)) 

(IOTE -GOAL)) 

(IOTE-GOAL)  ) 

(ii-correrr 

( (PUSH -GOAL 

(AT-MOST-OIE  (oTHER-HEBBES  S  Z))) 
(LET-BE  VI  (OTHER-MEMBER  3  Z)) 

(LET -BE  V2  (OTHER-MEMBERS  Z))) 

(II-COITEXT 

((SUPPOSE  (>  I  I») 

TOTE-COAL)) 

(IOTE-GOAL)) 

(II-COITEXT 
((PUSH-GOAL 
(*  S 

(MARE-SET 

Z 

(THE  (OTHER-MEMBER  S  Z)>)))> 
(II-COITEXT 

((SUPPOSE  (■»  X  Z))) 

(IOTE-GOAL)) 

(IOTE-GOAL)))) 


(LEMMA 

(FORALL  ((S  SIIGLETOI-SET) ) 
CIOT  (IS  S  DOUBLETOI-SET)))) 


(II-COITEXT 

((LET-BE  S  SIIGLETOI-SET) 

(LET-BE  X  (TIE  (MEMBER-OF  S)))> 
(IOTE  (IDT  (IS  3  DOUBLETOI-SET)))) 


R3 


L 


y.v«v.>.v 


'•*  ‘  a' a" A 
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(DEFTYPE  (SET-COIYAIIIBG  (I  THIIO)) 
CLAHBJA  CCS  SET)) 

(Tj  X  (HEHBER-OF  S))>) 


(DEiTYPE  (3UPERSET-0F  (31  SET)) 
(UHBDA  ( (S2  SET)) 

(IS  SI  (SJrSET-OF  S2) ) )) 


(DEFTYPE  ( PROPER- SUPERSET-OF  (S  SET)) 

(HD-TYPE  (SUpERSET-OF  3)  (IOT-EQUAL-TQ  S))) 


(DEFTYPE  (PROPER-SUBSET-OF  (3  SET)) 

UID-TYPE  (SUBSET-OF  S)  (*QT-EqUAL-TO  3))) 


(DEFTYPE  (SOT-HEHBER-OF  <S  SET)) 
(LAMBDA  ((X  THUG) ) 

(IQT  (IS  I  (MEMBER-OF  S))))) 


(DEFTTPE  IOI-EHPTY-SET 
(LAHBDA  ((S  SET)) 

(EXISTS-SOHE  (HEMBER-OF  3)))) 


(LEMMA  (EXISTS-SOHE  IO«- EMPTY-SET)  )  (U-COITEXT 

((LET-BE  X  THIIO) 

(LET-BK  SI  (HAKE-SET  I))) 

(IOTE  (EXISTS-SOHE  IOI-EHPTT-SET))) 


(DEFTYPE  (IDE -EMPTY -SUBSET-OF  (S  IOI-EHPTT-SET) ) 
(AID-TYPE  (SUBSET-OF  S)  IOI-EHPTT-SET)) 


(LEMMA  (FORALL  <(S  SET) 

(32  (SUBSET-OF  3)) 
(S3  (3UBSET-0F  32))) 
(IS  S3  (SUBSET-OF  3)))) 


(II-CQITEXT 

( (LET-BE  S  SET) 

(LET-BE  S2  (SUBSET-OF  S)) 

(LET-BE  S3  (SUBSET-OF  S2) ' 
(PUSH-GOAL  (IS  S3  (SUBS1  ! )))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOHE  (HEHBER-CIf  i 
(LET-BE  X  (HEHBER-OF  S3))) 
(IOTE-GOAL)) 

(IOTE-QOAL) ) 


(DEFTYPE  FAHTLY-DF-SETS 
(LAMBDA  ((F  IOI-EHPTT-SET)) 
(IS-EVERY  fHEKBER-OF  F)  SET))) 


H'XDAM  i:\TM.S 


(LEHHi  (FORiLL  ((SI  SET)) 

(IS  CIISERT  Si  THE-EHPTY-SET) 
FiHILY-OF-SETS))) 

(LEHKi  (EIISTS-SOME  FAHIL^-OF-SETS) ) 


(II-CDITEXT 

((LET-BE  SI  SET)) 

(II-COITEXT 

( (LET-BE  Ft  (HIRE-SET  SI)) 

(LET-BE  S  (HEMBER-QF  FI))) 

(IQTE  (IS  FI  FiHILY-OF-SETS) ) 

(ROTE  (EIISTS-SOME  FiHILY-OF-SETS)))) 


(LEKHA 

(FORiLL  ((S  SET) 

(FI  FiHILY-OF-SETS)) 
(IS  ( IISERT  S  Ft) 

FiHILY-OF-SETS))) 


( II-COITEXT 

((LET-BE  3  SET) 

(LET-BE  FI  FiHILY-OF-SETS) 

(LET-BE  F2  (IISERT  S  Ft)) 

(PUSH-GOAL  (IS  F2  FiHILY-OF-SETS))) 
(II-COITEIT 

((LET-BE  FHEH  (HEHBER-OF  F2))) 
(II-COITEIT 

(  (PUSS-GOAL  (13  FHEH  SET))) 
(II-COITEIT 

((SUPPOSE  <•  FHEH  S)>) 
(I0TE-G01L)) 

(I0TE-G01L)) 

(IOTE-GOAL) )) 


LEHHi 

(FORiLL  ( (S2  SET) 

(S3  SET)) 

(IS  (HARE-SET  S2  S3) 
FIHILY-OF-SETS))) 


LEHHi 

(FORiLL  ((St  SET) 

(32  SET) 

(S3  SETt) 

(IS  (HilE-SET  SI  $2  S3) 
FIHILY-OF-SETS))) 


(II-COITEXT 

((LET-BE  SI  SET) 

(LET-BE  32  SET) 

(LET-BE  S3  SET)) 

(II-COITEXT 

((LET-BE  Ft  (HARE-SET  S3)) 

(LET-BE  F2  (HARE-SET  S2  S3)) 
(LET-BE  F3  (HIRE-SET  SI  S2  S3))) 
(IOTE  (IS  F2  FIHILY-OF-SETS)) 

(IOTE  (IS  F3  FAHILY-OF-SETS)))) 


LEHHi 

(FORiLL  ((S  IQI-EHPTY-SET) 
(X  (HEHBER-OF  S)) 
(Y  (HEHBER-OF  S))) 
(IS  (HiRE-SET  I  Y) 
(SUBSET-OF  S)))) 


(II-COITEIT 

((LET-BK  S  IOI-EHPTY-SET) 

(LET-BE  I  (HEHBER-OF  S)) 

(LET-BE  Y  (HEHBER-OF  3) ) 

(LET-BE  SXY  (HiRE-SET  X  Y)) 
(PUSH-GOiL  (IS  SXY  (SUBSET-OF  S)))) 
(II-COITEIT 

((LET-BE  Z  (HEHBER-OF  SIY))) 
(II-COITEXT 

((PUSH-GOiL  (IS  Z  (HEHBER-OF  S)))) 
(II-COITEIT 

((SUPPOSE  (•  Z  X))) 

(IOTE-GOAL)) 

(I0TE-GO1L/) 

(IOTE-GOAL))) 
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(LEMMA 

CFORALL  CCS  IQI-EHPTY-SET) 
CX  (HEHBER-QF  S)) 
CY  (HEHBER-OF  S)) 
<2  CHEMBER-OF  S))) 
CIS  (HAKE-SET  X  Y  7.) 
CSUBSET-OF  S))>) 


(II-COITEXT 

(CLET-BE  S  IOI-EHPTY-SCT) 

CLET-BE  X  (KEMBER-OF  S)) 

(LET-BE  Y  CKEHBER-OF  S)) 

CLET-BE  2  (HEHBER-OF  S)) 

(LET-BE  S2  CJUKE-SET  I  Y  2)) 
(PUSH-GOAL  CIS  S2  CSUBSET-OF  S)))) 
CII-CQITEXT 

CCLET-BE  S3  C MIKE-SET  Y  2))) 
(BOTE-GOAL) )) 


CDEFTYPE  (KEMBER-OF-HEMBER  CF  FAHILY-OF-SEYS)) 
(VRITABLE-AS  2 
C2  (KEMBER-OF  Y)) 

CY  C MEMBER- OF  F)))) 


CDEFTERM  (FAMILY -UIIOI  (F  FAHILY-OF-SETS) ) 
(THE-SET-QF-ALL  CMEMBER-OF-MEMEER  F))) 


(LEMMA 

CFORALL  CCF  FAHILY-OF-SETS) ) 
CIS  CFAHILY-UBIQI  F)  SET))) 

(LEMMA 

CFORALL  CCF  FAMILY-OF-SETS) 

CS  (KEMBER-OF  F))) 

CIS  S  CSUBSET-OF 

CFAMILY-UIIOI  F))))) 

CLEHKA 

CFORALL  CCF  FAHILY-OF-SETS) 

(S  SET 

(IS-EVERY 

CHEMBER-OF  F) 
CSUBSET-OF  S)))) 
CIS  CFAMILY-UIIOI  F) 
CSUBSET-OF  S)))) 


(II-COITEIT 

CCLET-BE  F  FAHILY-CF-SETS; 

CLET-BE  UIIOI-F  CFAMILY-UIIOI  F))) 

C10TK  CIS  UIIOI-F  SET)) 

CII-CQITEXT 

(CLET-BE  S  CHEMBER-OF  F)) 

CPUSI-QOAL  CIS  8  CSUBSET-OF  UIIOI-F)))) 
(II-COITEIT 

((SUPPOSE  (EIISTS-SOHE  CHEMBER-OF  S))) 
(LKT-BK  X  CHEMBER-OF  S))) 

(IOTE-QOAL) > 

(IOTE-00 AL) ) 

CII-COITEXT 
(CLET-BE  S  SET 

(IS-EVERY  (MEMBER-OFF)  (SUBSET-OF  3))) 
(PUSH-GOAL  (IS  UIIOI-F  (SUBSET-OF  S)))) 
Cii-correxT 
((SUPPOSE 

(EXISTS-SOHE  (MEMBER-0F  UIIOI-F))) 
(LET-BE  X  (KEMBER-OF  UIIOI-F)) 

(LET-BE  S2  (HEMBER-OF  F) 

(IS  X  CHEMBER-OF  32)))) 

(IOTE-GOAL)) 

(IOTE-QOAL))) 


A.l.  FVSDAMKSTALS 
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(DEFTER*  (UIIOI  (SI  SET)  (S2  SET)) 
(FiHILY-UIIOI  (MIKE-SET  SI  S2))) 


(LEMMi 

(FORiLL  ((SI  SET) 

(S2  SET)) 

(IS  CUIIOI  SI  S2)  SET))) 


(LEMMi 

(FORiLL  ( (S2  SET) 

(SI  SET)) 

(IS  SI 

(SUBSET-OF  (UIIOI  SI  S2))))) 


(LEMMi 

(FORiLL  ((SI  SET)  (S2  SET)) 

(•  (UIIOI  SI  S2) 

(THE-SET-OF-iLL 

(OR-TYPE  (MEHBER-OF  SI) 

(HEMBER-OF  S2))))5) 


(II-C0ITE2T  {(LET-BE  SI  SET) 

(LET-BE  S2  SET) 

(LET-BE  F  (MiKE-SET  SI  S2)) 

(LET-BE  USET  (UIIOI  SI  S2))) 

(MOTE  (IS  USET  SET)) 

(IOTE  (IS  SI  (SUBSET-OF  USET))) 

(II-COITEZT 
((LET-BE  USET2 

(THE-SET-OF-iLL 

(OR-TYPE  (MEMBER-OF  SI) 

(MEMBER-OF  S2>))) 
(PUSH-GOiL  (-  USET  USET2))) 

(II-COITEZT 

((PUSR-GOiL  (IS  USET  (SUBSET-OF  USET2) )) ) 
C II-COITEZT 

((SUPPOSE 

(EZISTS-SOHE  (MEMBER-OF  USET))) 
(LET-BE  Z  (HEMBER-OF  USET)) 

(LET-BE  S3  (MEMBER-OF  F) 

(IS  Z  (MEMBER-OF  S3)))) 


(II-COITEXT 

((PUSH-GOiL  (IS  X  (MEMBER-OF  USET2)))) 
(II-COITEXT 

((SUPPOSE  (-  S3  SI))) 

(lOTE-GOiL) ) 

(■OTE-OOiL) ) 

(IQTE-OOiL)) 

(IOTE-OOiL)) 


(II-COITEXT 

((POSH-GOiL  (IS  USET2  (SUBSET-OF  USET)))) 
(II-COITEXT 

((SUPPOSE 

(EXISTS-SOME  (MEMBER-OF  USET2) ) ) 
(LET-BE  X  (HEMBER-OF  USET2) )) 


(II-COITEXT 

((PUSH-GOiL  (IS  I  (HEMBER-OF  USET)))) 
(II-COITEXT 

((SUPPOSE  (IS  X  (HEMBER-OF  SI)))) 
(IOTE-OOiL)) 

(IOTE-OOiL)) 

(IOTE-OOiL)) 

(IOTE-OOiL)) 

(IOTE-OOiL))) 
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(LEMHI 

(FORALL  (<S1  SET) 

(S2  SET) 

(S3  (AID-TYPE 

(SUPERSET-OF  SI) 
(SUPERSET-OF  S2) ) ) ) 

(IS  S3 

(SUPERSET-OF  (UI10I  SI  S2))))) 


(II-COITEXT 

((LET-BE  SI  SET) 

(LET-8K  S2  SET) 

(LET-BE  F  (MAKE-SET  SI  S2)> 

(LET-BE  USET  (UIIOK  SI  S2)) 

(LET-BE  S3  (AID-TYPE  (SUPERSET-OF  SI) 

(SUPERSET-OF  S2) ) ) 

(PUSH-GOAL 

(IS  S3  (SUPERSET-OF  (FAMILY-UBIOH  F))))> 
(II-COITEXT 

((LET-BE  S4  (HEKBER-OF  F))) 

(II-COITEXT 

((PUSH-GOAL  (IS  S4  (SUBSET-OF  S3)))) 
(II-COITEXT 

((SUPPOSE  <*  S4  SI))) 

(IOTE-GOAD) 

(iote-goal)) 

(IQTE-GOAL) ) ) 


(DEFTER*  (FAHILY-IITERSECTIOI  (F  FAHILY-OF-SETS)) 
(THE-SET-OF-ALL  (X  (HEMBER-OF-MHIBER  F)) 

(IS-EVERY  (MEMBER-OFF)  (SET-COITAIIIIO  X)))) 


(LEMMA 

(FORALL  ((F  FAMILY-OF-SETS)) 

(IS  (FAHILY-IITERSECTIOI  F)  SET))) 


(LEMMA 

(FORALL  <CF  FAHILY-OF-SETS) 

(S  (HEMBER-OF  F))) 

(IS  S 

(SUPERSET-OF 

(FAHILY-IITERSECTIOI  F))>)) 


(LEMMA 

(FORALL  ((F  FAHILY-OF-SETS) 

(S  SET 
(FORALL 

((HEM2  (MEMBER-OF  F))) 
(IS  MEH2 

(SUPERSET-OF  S))>)) 
(IS  (FAHILY-IITERSECTIOI  F) 
(SUPERSET-OF  S)))) 


(II-COITEXT 

((LET-BE  F  FAHILY-OF-SETS) 

(LET-BE  IITERSECTIOI-F 

(FAHILY-IITERSECTIOI  F))) 

(IOTE  (IS  IITERSECTIOI-F  SET)) 

(II-COITEXT 

((LET-BE  S  (HEMBER-QF  F)) 

(PUSH-GOAL 

(IS  S  (SUPEROET-OF  IITERSECTIOI-F)))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOHE 

(MEMBEK-OF  IITERSECTIOI-F))) 
(LET-BE  X  (HEMBER-OF  IITERSECTIOI-F))) 
(IOTE-OOAL)) 

(IQTE-GOAL) ) 

(II-COITEXT 

((LET-BE  S  SET 

(IS-EVERY  (HEMBER-OF  F) 

(SUPERSET-OF  S))) 

(PUSH-GOAL 

(IS  IITERSECTIOI-F  (SUPERSET-OF  3)))) 
(II-COITEXT 

((SUPPOSE  (EXISTS-SOME  (MEHBER-OF  S>)) 
(LET-BE  X  (MEMBER-OF  S)) 

(LET-BE  32  (MEMBER-OF  F))) 

(IOTE-GOAL)) 

(IOTE-GOAL))) 
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A.l. 


(DEFTERH  (IITERSECTIOI  (SI  SET)  (S2 
(FAMILY-IITERSECTIOI  (MAKE-SET  Si 


SET)) 

S2))) 


(LEMMA 

(FCRALL  C CSX  SET) 

(S2  SET)) 

(IS  (IYTERSECTIOV  Si  S2)  SET))) 


(II-COITEIT 

((LET-BE  Si  SET) 

(LET-BE  S2  SET) 

(LET-BE  F  (MAKE-SET  SI  S2)) 

(LET-BE  ISET  (IITERSECTIOI  SI  S2))) 


(LEMMA 

(FORAU.  (  (S2  SET) 

(Si  SET)) 

(IS  Si 

(SUPERSF.T-OF 

(IITERSECTIOI  Si  S2))))) 


(LEMMA 

(FORALL  ((SI  SET)  (S2  SET)) 

(«  (IITERSECTIOI  SI  S2) 
(THE-SET-OF-ALL 

(AID-TYPE  (MEMBER-QF  SI) 

(REKBE&-OF  S2)))))) 


(IOTE  (IS  ISET  SET)) 

(IOTE  (IS  SI  (SUPERSET-OF  ISET))) 

(II-COITEXT 

((LET-BE  ISET2 

(TEE-SET-CF-ALL 

(AID-TYPE  (MEMBER-OF  Si) 

(MEMBER-OF  S2)))) 
(PUSH-GOAL  («  ISET  ISET2))) 

(II-COITEIT 

((PUSH-GOAL  (IS  ISET  (SUBSET-OF  ISET2) ) )) 
(II-COITEIT 
((SUPPOSE 

(KXI9TS-SDME  (MEMBER-OF  ISET))) 
(LET-BE  Z  (MEMBER-OF  ISET))) 
(IOTE-GOAL)) 

(IOTE-OOAL) ) 

(II-COITEIT 

(( PUSH-00 AL  (IS  ISET2  (SUBSET-OF  ISET)))) 
(II-COITEIT 
((SUPPOSE 

(EXISTS-SOHE  (MEMBER-OF  ISET2) ) ) 
(LET-BE  I  (MEMBER-OF  ISET2)) 

(LET-BE  S3  (MEMBER-OF  F))) 

(II-COITEIT 

((PUSH-COAL  (IS  I  (MEMBER-OF  S3)))) 
(II-COITEIT 

((SUPPOSE  (•  S3  Si))) 

(IOTE-OOAL)) 

(IOTE-GOAL)} 

(IOTE-OOAL)) 

(IOTE-OOAL)) 


(IOTE-OOAL))) 
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(LEJOU 

(F0R1LL  ((SI  SET) 

(S2  SET) 

(S3  (AID-TYPE 

(SUBSET-OF  SI) 
(SUBSET-OF  S2)))) 

(IS  S3 

(SUBSET-OF 

(IHTERSECTIQI  SI  S2))))) 


(II-COITEXT 

((LET-BE  SI  SET) 

(LET-BE  S2  SET) 

(LET-BE  F  (KAIE-SET  SI  S2)) 

(LET-BE  ISET  (IITERSECTIOI  SI  S2)> 
(LET-BE  S3  (AID-TYPE  (SUBSET-OF  SI) 
(SUBSET-OF  S2))) 
(PUSH-GOAL  (IS  S3  (SUBSET-OF  ISET)))) 

(II-COITEIT 

((LET-BE  S4  (KEHBER-QF  F))) 
(II-COITEXT 

( (PUSH-GOiL 

(IS  S4  (SUPERSET-OF  S3)))) 
(II-COITEIT 

((SUPPOSE  (»  S4  SI))) 
(IOTE-GOAL)) 

(IOTE-GOAL) ) 

(IOTE-GOAL))) 


A.l.  FVSDAMESTALS 
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CLEHH1 

(FORALL  ((S2  SET) 

(SI  SET) 

(S3  SET)) 

(*  (IITERSECTIOI  SI 

(UIIOI  S2  S3)) 
(UIIOI  (IITERSECTIOI  SI  S2) 

(IITERSECTIOI  SI  S3))))) 


(II-COITEIT 

((LET-BE  SI  SET) 

(LET-BE  52  SET) 

(LET-BE  S3  SET) 

(LET-BE  U-S2-S3  (UIIOI  S2  S3)) 

(LET-BE  I-S1-S2  (IITERSECTIOI  SI  S2)) 
(LET-BE  I-S1-S3  (IITERSECTIOI  SI  S3)) 
(LET-BE  ISET  (IITERSECTIOI  SI  U-S2-S3)) 
(LET-BE  USET  (UIIOI  I-S1-S2  I-S1-S3)) 
(PUSH-GOAL  (»  ISET  USET))) 


(II-COITEIT 

((PUSi-GOiL  (IS  ISET  (SUBSET-OF  USET)))) 
(II-COITEIT 
((SUPPOSE 

(EIISTS-30HE  (KEHBEB-OF  ISET))) 
(LET-BE  I  (HEHBER-OF  ISET))) 

(II-COITEIT 

((PUSH-GOAL  (IS  I  (HEHBER-OF  USET) ) ) ) 
(II-COITEIT 

((SUPPOSE  (IS  I  (HEHBER-OF  S2)))) 
(IOTE-G01L)) 

(I0TE-G01L)) 

(IQTE-GOAL) ) 

(IOTE-GDAL) ) 

(II-COITEIT 

((PUSH-GOAL  (IS  USET  (SUBSET-OF  ISET)))) 
(IF-COITEXT 
((SUPPOSE 

(EHSTS-80HE  (HEHBER-OF  USET)  )  ) 
(LET-BE  I  (HEHBER-OF  USET))) 
(II-COITEIT 

((PUSH-GOAL  (IS  I  (HEHBER-OF  ISET)))) 
(II-COITEIT 
((SUPPOSE 

(IS  I  (HEHBER-OF  I-S1-S2)))) 
(IOTE-GOAL)) 

(IOTE-GOAL) ) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 
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(LERKA  (II-COITEXT 


(FOR ALL  (  (S2  SETT) 

(SI  SET) 

(S3  SET)) 

(•  (UIIOI  SI 

(IITERSECTIOI  S2  S3)) 
(IITERSECTIOI  (UIIOI  SI  S2) 

(UIIOI  SI  S3))))) 


((LET-BE  SI  SET) 

(LET-BE  S2  SET) 

(LET-BE  S3  SET) 

(LET-BE  X-S2-S3  (IITERSECTIOI  S2  S3)) 

(LET-BE  U-S1-S2  (UIIOI  SI  S2)) 

(LET-BE  U-S1-S3  (UIIOI  SI  S3)) 

(LET-BE  USET  (UIIOI  SI  I-S2-S3)) 

(LET-BE  ISET  (IITERSECTIOI  U-S1-S2  U-S1-S3)) 
(PUSH-GOAL  («  USET  ISET))) 


(II-COITEXT 

((PUSH-GOAL  (IS  USET  (SUBSET-OF  ISET)))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOME  (KEKBER-OF  USET))) 
(LET-BE  X  (REKBER-OF  USET))) 
(II-COITEXT 

((PUSH-GOAL  (IS  I  (HEHBER-OF  ISET)))) 
(II-COITEXT 

((SUPPOSE  (IS  I  CREMBER-OF  SI)))) 
(IOTE-GOAL)) 

(IQTK-GOAL) ) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(II-COITEXT 

((PUSH-GOAL  (IS  ISET  (SUBSET-OF  USET)))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOHE  (HEHBER-OF  ISET))) 
(LET-BE  X  (RERBER-OF  ISET))) 

(II-COITEXT 

((PUSH-GOAL  (IS  X  (HEHBER-OF  USET)))) 
(II-COITEXT 

((SUPPOSE  (IS  X  (HERBER-OF  SI)))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 


(IOTE-GOAL)) 


.A. I.  FUXD.WIEXTMS 


(LEMMA 

(FORALL  ( (SI  SET) 

(S3  (SUBSET-OF  Sl)> 

(S2  SET)) 

(IS  (UIIOI  S3  S2) 

(SUBSET-OF  (UIIOI  SI  S2))))) 


(II-COITEXT 

((LET-BE  SI  SET) 

(LET-BE  S2  SET) 

(LET-BE  S3  (SOBSET-OF  SI)) 

(LET-BE  USET1 

(UIIOI  SI  S2)  ) 

(LET-BE  USET2 

(UIIOI  S3  S2) ) 

(PUSH-GOAL  (IS  USET2  (SUBSET-OF  USET1)))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOHE  (KEMBER-OF  USET2) )) 
(LET-BE  X  (MEMBEB-OF  USET2))) 
(II-COITEXT 

((PUSH-GOAL  (IS  X  (MEMBEB-OF  USET1)))) 
(II-COITEXT 

((SUPPOSE  (IS  X  (KEMBEB-OF  S3)))) 
(IOTE-GOAL)) 

(IOTE-GOAL) ) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 


(LEMMA 

(FOLALL  ((SI  SET) 


(S3  (SUBSET-OF  SI)) 
(S2  SET)) 

(IS  (IITEBSECTIOi  S3  S2) 
(SUBSET-OF 

(IITEBSECTIOI  SX  S2))))) 


(II-COITEXT 

((LET-BE  SI  SET) 

(LET-BE  S2  SET) 

(LET-BE  S3  (SUBSET-OF  SI)) 

(LET-BE  ISET1 

(IITEBSECTIOI  SI  S2>) 

(LET-BE  ISET2 

(IITEBSECTIOI  S3  52)) 

(PUSH-GOAL  (IS  ISET2  (SUBSET-OF  ISET1)))) 
(II-COITEXT 
((SUPPOSE 

(Eli STS- SOKE  (MEMBEB-OF  ISET2) ) ) 
(LET-BE  X  (MEMBEB-OF  ISET2))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 


(LEMMA 

(FORALL  ((SI  SET) 

(S2  (SUBSET-OF  SI))) 

(-  SX 

(UIIOI  SX  S2)))) 

(LEMMA 

(FORALL  ((SI  SET) 

(S2  (SUBSET-OF  SI))) 

(»  S2 

(IITEBSECTIOI  SX  S2)))) 


(II-COITEXT 

((LET-BE  SI  SET) 

(LET-BE  S2  (SUBSET-OF  Si))) 
(II-COITEXT 

((LET-BE  USET 

(UIIOI  SX  S2))) 

(IOTE  (»  SX 

(U1IOB  SI  S2) ) ) ) 

(II-COITEXT 

((LET-BE  ISET 

(IITEBSECTIOI  SI  S2)}) 

(IOTE  (■  S2 

(IITERSECriOI  SI  S2>)))> 


APPENDIX  A 


THE  STONE  REPRESENTATION  THEOREM 


2  I  S 


(DEFTYPE  (DISJOIIT-FROH  (SI  SET)) 
(LAMBDA  ( (S2  SET)) 

(=  (IITERSECTIOH  SI  S2) 
THE-EMPTY-SET) ) ) 


(LEHHA 

CFORALL  <(S1  SET)) 

(EXISTS-SOHE  (DISJOIIT-FROH  SI)))) 


(II-COITEXT  (CLET-BE  SI  SET) 

CLET-BE  ESET  THE-EMPTY-SET) ) 
(IOTE  (EXISTS-SOKE  (DISJOIIT-FROH  SI)))) 


(LEMHI 

(FORALL  ((Si  SET)  (S2  SET)) 

(IFF  (IS  Si  (DISJOIIT-FROH  S2)) 
(IS-EVERY 

(HEHBER-OF  SI) 
(IOT-HEMBEX-OF  S2>)))) 


(II-COITEXT 

((LET-BE  SI  SET) 

(LET-BE  S2  SET) 

(LET-BE  I IT  UITERSECTIGI  SI  S2)) 

(PUSH-GOAL 

(IFF  (IS  Si  (DISJOIIT-FROH  S2)) 

(IS-EVERY  (HERBER-CF  SI) 

(ICT-HSMBER-OF  S2))))) 

(II-COITEXT 

((SUPPOSE  (IS-EVERY  (MEHBER-OF  SI) 

(SOT-MEMBER-OF  S2) ) ) ) 

(II-COITEXT 

((SUPPOSE 

(EXISTS -SOME  (MEMBER-OK  IIT))> 
(LET-BE  X  (MEHBER-OF  IIT))) 

( IOTE-COITRADICTIOI ) ) 

(IOTE-QOAL)) 

(II-COITEXT 

((SUPPOSE  (IS  Si  (DISJOIIT-FROH  S2)))) 
(II-COITEXT 

((PUSH-GOAL 

(IS-EVERY  (HEHBER-OF  Si) 

(IOT-MEMBER-OF  S2)>)) 

(II-COITEXT 

((SUPPOSE 

(EXISTS-SOHE  (HEHBER-OF  Si))) 
(LET-BE  X  (HEHBER-OF  Si))) 
(IOTE-GOAL)) 

(■OTE-GOAL)) 

(IOTE-GOAL)) 

(■OTE-GOAL)) 


FIXDAUESTALS 


2-19 


A.l. 


(DEFTERH  (SET-DIFFEREICE  (SI  SET)  (S2  SET)) 
(THE-SET-OF-ALL 

(AID-TYPE  (HEHBER-OF  Si)  (IOT-KEMBER-QF  S2>))) 


(LEHHA 

(FORALL  ((SI  SET)  (S2  SET)) 

(IS  (SET-DIFFESEICE  SI  S2) 
(SUBSET-CF  SI)))) 

(LEMMA  (FORALL  <(S1  SET)  (S2  SET)) 

(IS  (SET-DIFFEREICE  SI  S2) 
(DISJOIIT-FSOM  S2) ) ) ) 

(LEMMA  (FORALL  ((Si  SET)  (S2  SET)) 

(*  (UIXOI 
S2 

(SET-DIFFEREICE  SI  S2)) 
(UIIOI  SI  S2))>) 


(II-COITEIT 

((LET-BE  SI  SET) 

(LET-BE  S2  SET) 

(LET-BE  SD  (SET-DIFFEREICE  SI  S2))) 
(II-COITEIT 

((PUSH-GOAL  (IS  SD  (SUBSET-OF  Si)))) 
(II-COITEIT 
( (SUPPOSE 

(EXISTS-SOME  (MEH8ER-0F  SD))) 
(LET-BE  I  (SEHBER-OF  SD))) 
(IOTE-GOAL) ) 

(IOTE-GOAL) ) 

(II-COITEIT 

((PUSH-GOAL 

(IS  SD  (DISJOIHT-FKOH  S2>))) 
(n-cormT 
( (SUPPOSE 

(EXISTS-SOME  (HEHBER-OF  SD))) 
(LET-BE  I  (MEHBER-OF  SD))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 

(II-COITEIT 

((LET-BE  USET1  (UIIOI  S2  SD)) 
(LET-BE  USET2  (UHIOI  SI  S2)) 

CPUS! -GOAL  (»  USETl  U3ET2) ) ) 

(II-COITEIT 

((PUSH-GOAL 

(IS  USET2  (SUBSET-OF  USETl)))) 
(II-COITEIT 
((SUPPOSE 

(EXISTS-SOKE 

(HEMBEI-OF  USET2))) 

(LET-BE  I  (HEHBER-OF  USET2))) 
(II-COITEIT 

((PUSH-GOAL 

(IS  I  (HEHBER-OF  USETl)))) 
(II-COITEIT 
((SUPPOSE 

(IS  I  (MEHBER-OF  S2)))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL))) 
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(DEFTER*  (REHOVE  (I  THIIC)  (S  SET)) 
(SET-DIFFERE1CE  S  (MIS-SET  I>>) 


(FORALL  ((S  SET)  (I  TBIIG)) 

(=  (REHOVE  X  S) 

(THE-SET-0F-1LL 

(AID-TYPE  (HEHBER-OF  S) 

(I0T-E9UAL-T0  X)))))) 


(II-COITEXT 

((LET-BE  I  TBIIG) 

(LET-RE  S  SET) 

(LET-BE  REK 

(BEHOVE  IS)) 

(LET-BE  S2  (HAKE-SET  I)) 

(LET-BE  S3 

(THE-SET-DF-ALL 

(AID-TYPE  (HEHBER-OF  S) 

(IOT-EQUAL-TQ  X)))) 
(PUSH-GOAL  (>  BEK  S3))) 

(II-COITEIT 

((PUSB-GOAL  (IS  IEK  (SUBSET-OF  S3)))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOSE  (HEHBER-OF  REH))> 
(LET-BE  T  (HEHBER-OF  1EH)  )  ) 

(ICTE  (IS  T  (lOT-EflUAL-TO  X))) 
(IOTE-GOAL)) 

(BOTE-GOAL)) 

(II-COITEXT 

(  (PUSH-GOAL  (IS  S3  (SUBSET-OF  R£H)») 
(II-COITEXT 

((SUPPOSE  (EXI5T5-SOHE  (HEHBE1-OF  S3))) 
(LET-BE  T  (HEHBER-OF  S3))) 

(IOTE  CIS  T  (IOT-HEHBER-OF 

(IISERT  X  TBE-EHPTY - SET ) ) ) ) 

(IOTE-GOAL) ) 

(IOTE-GOAL) ) 

(IOTE-GOAL)) 


L*  J 
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(LEMHI 

(F0R1LL  ((S  SET) 

(X  THUG) 

(Y  THUG) ) 

O  (REMOVE  T  (REHOVE  IS)) 

(TEE-SET -OF-iLL 

(119- TYPE  (KEHEER-OF  S) 

(I0T-EQU1L-T0  X) 
(IQT-EQUiL-YQ  Y)))))) 


(II-COITEXT 

((LET-BE  I  THUG) 

(LET-BE  Y  THIIG) 

(LET-BE  S  SET) 

(LET-BE  SX  (REHOVE  X  S)> 

(LET-BE  SYX  (REHCVE  T  SI)) 

(LET-BE  SYX2 

(THE-SET -OF-ILL 

(110- TYPE  (WEHBES-OF  S) 

(I0T-EQU1L-T0  I) 
(lOT-EQUiL-i?  Y)))) 
(PUS8-G01L  (■  SYX  SYI2))) 

(II-COITEXT 

( (PUSH-GQ1L  (IS  SYX  (SOBSET-OK  SY12)))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOEE  (HEHBER-OF  SYX))) 
(LET-BE  2  (HEHBER-OF  SYX))) 

(I0TE-G01L) ) 

(I0TE-G01L)  ) 

(II-COITEXT 

((POSH-GOIL  (IS  STX2  (SUBSET-OF  SYX)))) 


(II-COITEXT 
(  (SUPPOSE 

(EXISTS-SIIHE  (HEHBER-OF  STX2)  )  ) 
(LET-BE  Z  (HEHBER-OF  SYX2)>) 
(I0TE-G01L) ) 

(I0TE-G01L)) 

(I0TE-G01L) ) 


(LEMHI 

(F0R1LL  ((T  THIIG) 

(X  THIIG) 

(Z  SET)) 

(«  (REMO YE  X  (BEHOVE  !  !)) 
(REMOVE  Y  (REMOVE  X  S))))) 


(II-COITEXT 

((LET-BE  X  THIIG) 

(LET-BE  T  THIIG) 

(LET-BE  S  SET) 

(LET-BE  SIT  (REMOTE  I  (REMOVE  IS))) 
(LET-BE  SYX  (REMOVE  Y  (REMOVE  X  S))) 
(PUSH-COIL  (»  SXY  SYX))) 

(II-COITEIT 

((PUSH-COIL  (IS  SXY  (SUBSET-OF  SYX)))) 
(II-COITEIT 
((SUPPOSE 

(EXISTS-SOHE  UiSHBER-OF  SIT))) 
(LET-BE  Z  (HEHEEi-OF  SIT))) 
(I0TE-G01L)) 

(■OTE+GEISRILIZE-GO'J.)) 

(IOTE-GOiL)) 
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(DEFTERM  (POWER-SET  CS  SET)) 
(TRE-SET- nr-lLL  (SUBSET-OF  3))) 


(LEHIU 

(FORALL  ((S  SET)) 

(IS  (POWER-SET  S) 

FAHILY-OF-SETS))) 


(LEMMA 

(FORALL  CCS  SET)) 

(.«  S 

(FAKILY-UIIQI  (POWER-SET  S))))> 


(II-GQITEIT 

((LET-BE  S  SET) 

(LET-BE  P  (POWER-SET  S))) 

(II-GQITEIT 

((LET-BE  S2  (HEMBER-OF  P))) 

(SOTE  CIS  P  FAMILY-OF-SETS))) 

(II-CQITEXT 

((LET-BE  S2 

( FAMILY -UI ID!  (POWER-SETS)))) 

(SOTE  (-  S  (FAKILY-UIIOI  (POWER-SET  S)))))) 


A . 2.  PAIRS.  R  ULES  AND  STR  UCT URES 
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A. 2  Pairs,  Rules  and  Structures 


This  section  contains  facts  about  pairs  rules  and  structures.  For  any  two 
things  x  and  y  the  pair  <  x,  y  >  is  implemented  as  the  set  {x,  {x,  y}}.  A 
rule  is  a  set  of  pairs.  An  objects  which  appears  on  the  right  side  a  pair  in  a 
rule  r  is  called  a  domain  element  of  r.  The  set  of  all  domain  elements  of  r 
is  called  the  rule  domain  of  the  rule  r  (rule  domains  are  different  from  map 
domains;  map  domains  are  discussed  below). 

A  structure  is  a  rule  whose  domain  is  a  set  of  symbols.  Ontic  structures 
are  similar  to  the  “structures”  or  “records”  used  in  computer  programming 
langauges  (e.g.  structures  defined  via  DEFSTRUCT  in  Common  Lisp).  The 
symbols  in  the  domain  of  a  structure  rule  are  somtimes  called  the  “slots” 
of  the  structure.  From  a  mathematical  point  of  view  the  most  interesting 
structures  have  a  U-SET  slot  which  contains  the  “domain”  or  “underlying 
set”  of  the  structure.  A  structure  with  a  U-SET  slot  that  contains  a  set  is 
called  a  set  structure.  Many  different  kinds  of  mathematical  objects  can  be 
modeled  as  set  structures;  partial  orders,  algebras,  topologies,  graphs,  and 
differentiable  manifolds  c.m  all  be  implemented  as  set  structures. 
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APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(DEFT ERR  (HUE-PAIR  (X  THIIO)  (T  THUG)) 
(IUIE-SET  OUXE-SET  X  Y)  (KARE-SET  )>)) 


(LEHHA 

(FORALL  ((X  THUG)  (Y  THUG)) 

(*  (FAHILY-UIIGI  (KAXE-PAIR  I  Y>) 
(HAXE-SET  X  Y)))) 

(LEHHA 

(FORALL  (<Y  THIIG)  (I  THIIG)) 

(•  (FAHILY-IITERSECTIOI 
(KAXE-PAIR  I  Y)) 

(IUIE-SET  I)))) 


(II-COITEXT 

((LBT-BE  I  THUG) 

(LET-BE  Y  THIIG) 

(LET-BE  SI  OUXE-SET  I)) 

(LET-BE  SXY  (KAXE-SET  I  Y) ) 

(LET-BE  SPAIR.  OURE-PilR  I  Y))) 

(VOTE  (IS  (FAHILY-UIIOI  SPUR)  SIY)) 

(I0TE  (IS  (FAHILY-IITERSECTIOI  SPAIR)  SI))) 


(DEFTYPE  PAIR 

(WRITABLE-AS  (NAXE-PAIR  X  Y) 

(X  THIIG) 

(Y  THIIG))) 

(DEFTERH  (LEFT  (P  PAIR)) 

(TIE  (HEHBSR-OF  (FAHILY-IITERSECTIOI  P)))) 


(LERKA 

(FORALL  ((X  THUG)  (Y  THUG)) 

(■  I 

(LEFT  (KAXE-PAIR  X  Y))))) 


(II-COHTEXT 

((LBT-BE  X  THIIG) 

(LET-BE  Y  THIIG) 

(LET-BE  P  (KAXE-PAIR  X  Y)) 

(LET-BE  SX  (FAHIIY-IITERSECTIOI  P))) 
(BOTE  (-  I  (LEFT  P)>)) 


(DEFTERH  (RIGHT  (P  PAIR)) 

(IF  (SIIQLETOI-SET  P) 

(LEFT  P) 

(THE  (OTHER-HERB ER 

(FAKILY-UHIOH  P) 
(LEFT  P»))) 


(LERKA 

(FORALL  ((X  THIIG)  (Y  THUG)) 

(-  Y 

(RIGHT  (KAXE-PAIR  I  Y))))) 


(II-COITEXT 

((LET-BE  X  THIIO) 

(LET-BE  Y  THIIO) 

(LET-BE  P  (KAXE-PAIR  X  Y)> 
(PUSH-GOAL  (-  Y  (RIGHT  P))> 
(LET-BE  HI  OUXE-SET  I)) 
(LET-BE  KY  OUXE-SET  X  Y)>) 
(II-COITEXT 

((SUPPOSE  (»  I  I))) 
(IOTE-OOAL)) 

(II-COITEXT 

((SUPPOSE  (HOT  (*  I  Y)))) 
(I0TE  (HOT  (»  HX  KY))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 


For  efficiency  the  type  RULE,  the  operators  THE-RULE  and  THE-FUNCTION 


.4.2.  PAIRS.  RULES  ASD  STRUCTURES 


and  the  type  generators  DOMAIN-TYPE,  and  the  type  generator  RULE-BETWEEN 
are  all  implemented  primitively.  If  /  is  a  syntactically  small  function  expres¬ 
sion  of  one  argument  then  the  term  (THE-RULE  f)  denotes  a  set  theoretic 
object,  such  as  a  set  of  pairs,  that  corresponds  to  the  function  /.  Instances  of 
the  the  type  RULE  are  objects  which  can  be  written  as  (THE-RULE  /)  where  is 
a  syntactically  small  function  expression  of  one  argument.  If  R  denotes  a  rule 
then  the  type  (DOMAIN-TYPE  R)  is  the  type  corresponding  to  the  domain  of 
the  rule  (function)  /  and  (THE-FUNCTION  R)  is  the  function  corresponding 
to  R.  If  SI  and  S2  denote  sets  then  instances  the  type  (RULE-BETWEEN  SI 
S2)  are  rules  that  give  mappings  from  SI  into  S2. 

(DEFTYPE  (DOHAII-TYPE  (R  RULE)) 

OlEHBER-OF  (RULS-DOMill  R))) 


(LEH1U 

CFORiLL  ((SI  IOI-EHPTY-SET) 
(S2  IOI-EHPTY-SET)) 
(EIISTS-SOHE 

(RULE-BETVEEI  SI  SJ)))) 


(II-COITEXT 

((LET-BE  SI  IOI-EHPTY-SET) 

(LET-BE  S2  IOI-EHPTY-SET) 

(LET-BE  T  (HEHBER-OF  S2)) 

(LET-BE  R 

(TEE-RULE  ((I  (HEHBER-OF  SI)))  Y))> 

(IOTE 

(EIISTS-SOHE  (RULE-BETVEEI  SI  S2))>) 


(DEFTERH  (RESTRICT-RULE  (R  RULE) 

(S  (SUBSET-OF 

(RULE-D0H1II  R)))) 
(THE-RULE  ((I  (HEHBER-OF  S))} 

UPPLY-RULE  1I)» 


(DEFTERH  (RESTRICT-REL1TI0I  (R  RELATIOI) 

(S  (SUBSET-OF 

(RULE-D0H1II  R)))) 

(THE-RULE  ((X  (HEHBER-OF  S)}) 

(IITERSECTIQI  S  (RPPLY-RULE  R  I)))) 


.-aB^sa "  raaaa&y * «*»& 
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APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(DEFTYPE  (IIJECTIVE-RULE-BETVEEI  <S1  SET)  (S2  SET)) 
(LRKBDA  ( (R  (RULE-BETVEEI  SI  S3))) 

(F0R1LL  ((Y  (NEHBER-OF  SI))) 

(EXiCTLY-OIE  (X  (KEHBER-OF  (ftULE-DOHill  R))) 
(-  (iPPLY-RULE  R  I)  (iPPLY-RULE  R  Y)))))) 

(DEFTYPE  IIJECTIVE-RULE 
(HRITiBLE-iS  R 

(R  (IIJECTIVE-RULE-BETVEEI  SI  S3)) 

(SI  SET) 

(S2  SET))) 

(DEFTERH  (RULE-R1IQE  (R  RULE)) 

(THE-SET-OF-1LL 
(WRITABLE-AS  UPPLY-RULE  R  I) 

(X  (HEJtBER-OF  (RULE-DOHAII  R)))))) 


y  t 
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The  type  SYMBOL  and  the  macro  QUOTE  are  implemented  primitively.  All 
atomic  quotations  are  symbols.  A  structure  is  a  rule  whose  domain  is  a  set 
of  symbols. 


(DEFTYPE  STRUCTURE 

(lambda  ((r  rule)) 

(AID  (EIISTS-SQKE 

(KEMBER-OF  (RULE-DOKAII  R))) 

(IS-EVERY  (MEHBER-OF  (RULE-DOKAII  R)) 

SYMBOL)))) 

(DEFTYPE  (SIGIATURE-SYHBOL  (¥  STRUCTURE)) 

(HEKBER-OF  (RULE-DOKAII  ¥))) 

(DEFTERK  (STRUCTURE-COKPQIEIT 
(STRUCT  STRUCTURE) 

(SYK  (SIGNATURE- SYMBOL  STRUCT))) 

(APPLY-RULE  STRUCT  SYK)) 

(DEFTERK  (ASSIGI  (ARG  TSIIG)  (VALUE  TBIIG)  (OLD-RULE  RULE)) 
(THE-RULE  ((I  (OR- TYPE 

(EQUAL-TO  ARG) 

(HEKBER-OF  (RULE-DOKAII  OLD-RULE))))) 

(IF  (■  I  ARG) 

VALUE 

(APPLY-RULE  OLD-RULE  I)))) 


(LERKA 

(FORALL  ((S  SYMBOL) 

(VAL  THUG) 

(¥  STRUCTURE)) 
(IS  (ASSIGI  S  VAL  U) 
STRUCTURE))) 


(II-COITEXT 

((LET-BE  W  STRUCTURE) 

(LET-BE  S  SYMBOL) 

(LET-BK  VAL  THUG) 

(LET-BE  «2  (ASSIGI  S  VAL  V)) 
(PQSI-QOAL  (IS  ¥2  STRUCTURE))) 
(II-COITEXT 

((LET-BE  STM 

(HEKBER-OF  (RULE-DOKAII  ¥2)))) 
(II-COITEIT 

((PUSH-GOAL  (IS  SYK  SYMBOL))) 
(II-COITEXT  ((SUPPOSE  («  SYM  S))) 
(IOTE-GOAL)) 

(IOTE-GOAD)  ' 

(IOTE-GOAL))) 


(DEFTERK  (BASE-STRUCTURE  (S  SYMBOL)  (X  TBIIG)) 
(THE-RULE  («  (EQUAL-TO  S)))  X)) 


(LEMMA 

(FORALL  ((S  SYMBOL) 

(I  THUG) ) 

(IS  (BASE-STRUCTURE  S  I) 
STRUCTURE))) 


(II-COITEIT 

((LET-BE  S  SYMBOL) 

(LET-BE  X  THUG) 

(LET-BE  V  (BASE-STRUCTURE  S  X)) 
(PUSH-GOAL  (IS  U  STRUCTURE))) 
(IOTE  (IS  V  STRUCTURE))) 


25S 


APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(DEFTERH  (HAKE-SET-STRUCTURE  (S  IOI-EHPTY-SET)) 
(BASE-STRUCTURE  ’O-SET  S)) 

(DEFTERH  (O-SET  (V  STRUCTURE) ) 

(STRUCTURE -COHPOIEIT  B  ’O-SET)) 

(DEFTYPE  SET-STRUCTURE 
(LAHBDA  ((S  STRUCTURE)) 

(AID  (IS  ’U-SET  (SIGIATURE-SYMBOL  S>) 

(IS  (U-SET  S)  101-EMPTY-SET)))) 


(LEHHA 

(FORALL  ((S  IOI-EHPTY-SET) ) 

(IS  (HAKE-SET-STRUCTURE  S) 
SET-STRUCTURE) ) ) 

(LEHHA 

(FORALL  ((S  IOI-EHPTY-SET)) 

(-  (U-SET  (HAKE-SET-STRUCTURE  S>) 
S))) 


(II-COITEXT 

((LET-BE  S  IOI-EHPTY-SET) 

(LET-BE  H  (HAKE-SET-STRUCTURE  S)) 
(LET-BE  SYH  ’U-SET)) 

(I0TE  (IS  H  SET-STRUCTURE)) 

(IOTE  (-  (U-SET  H)  S))) 


(DEFTYPE  (II-U-SET  (B  SET-STRUCTURE)) 
(HEHBER-OF  (U-SET  S))) 


(LEHHA 

(FORALL  ((B  SET-STRUCTURE)) 
(EXISTS-SOHE  (II-U-SET  V)))) 

(LEHHA 

(FORALL  ((W  SET-STRUCTURE) 

(X  (II-U-SET  B))) 

(IS  I  THUG))) 

(LEHHA 

(FORALL  ((B  SET-STRUCTURE) 

(X  (II-U-SET  B))) 

(IS  (HAKE-SET  X) 

(IOI-EHPTT-SUBSET-OF 
(U-SET  H))))) 

(LEHHA 

(FORALL  ((H  SET-STRUCTURE) 

(X  (II-U-SET  H)) 

(T  (II-U-SET  B))) 

(IS  (HARE-SET  X  Y) 

(SUBSET-QF  (U-SET  B))))) 

(LEHHA 

(FORALL  ((B  SET-STRUCTURE) 

(X  (II-U-SET  B)) 

(33  (SUBSET-OF  (U-SET  B)))) 
(IS  (IISERT  X  S3) 

(SUBSET-OF  (U-SET  H))))) 


(II-COITEXT  ((LET-BE  B  SET-STRUCTURE) 

(LET-BE  S  (U-SET  B))) 

(IOTE  (EXISTS-SOHE  (II-U-SET  B))) 
(II-COITEXT  ((LET-BE  X  f II-U-SET  B))) 

(IOTE  (IS  X  THUG) ) 

(II-COITEXT  ((LET-BE  SI  (HAKE-SET  X))) 
(IOTE  (IS  SI  (IOI-EHPTY-SUBSET-OF  S>))> 
(II-COITEXT  ((LET-BE  Y  (II-U-SET  H)) 

(LET-BE  SIY  (HAKE-SET  X  Y))) 
(IOTE  (IS  SXY  (SUBSET-OF  S)))) 
(II-COITEXT  ((LET-BE  S2  (SUBSET-OF  S» 

(LET-BE  SI2  (IISERT  X  S2))) 
(IOTE  (IS  SX2  (SUBSET-OF  S))>>)) 
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(LEMMA 

(FORALL  (  Of  SET-STRUCTURE) 

(S2  (SUBSET-QF  (U-SET  ¥)))) 
(IS  S2  SET))) 

(LEMMA 

(FORALL  ((¥  SET-STRUCTURE) 

(S2  (SUBSET-OF  (U-SET  W)))) 
(IS-EVERY  (HEMBER-OF  S2) 

(II-U-SET  «)))) 

(LEMMA 

(FORALL  ((V  SET-STRUCTURE) 

(S2  (SUBSET-OF  (U-SET  V)))) 
(»>  (EIISTS-SOHE  (MEHBER-CF  S2)) 
(IS  S2 

(IOI-EHPTY-SUBSET-OF 
(U-SET  ¥}))))) 


(II-COITEIT 

((LET-BE  ¥  SET-STRUCTURE) 

(LET-BE  S  (U-SET  ¥)) 

(LET-BE  S2  (SUBSET-OF  (U-SET  ¥)))) 

(IOTE  (IS  S2  SET)) 

(IOTE  (IS-EVERY  (MEKBER-OF  S2) 

(II-U-SET  ¥))) 

(II-COITEIT 

((SUPPOSE 

(EIISTS-SOME  (MEMBER-OF  S2)))) 

(IOTE  (IS  S2  (IOI-EMPTY-SUBSET-OF  S))))) 


V  V*  V  V  V  / 
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A. 3  Maps 


The  terminology  used  in  the  proof  of  Stone's  theorem  makes  a  distinction 
between  rules  and  maps:  a  rule  is  a  just  a  set  of  pairs  while  a  map  consists 
of  a  domain  set  structure,  a  range  set  structure,  and  a  rule  between  the 
underlying  sets  of  the  domain  and  range  structures.  The  significance  of  the 
distinction  between  rules  and  maps  can  be  seen  in  the  following  formula: 


(IS  (DOMAIN  F)  LATTICE) 


If  F  denoted  a  rule  (a  set  of  pairs)  there  would  be  no  well  defined  domain 
structure  for  F,  at  best  the  domain  of  F  would  be  an  unstructured  set.  On 
the  other  hand  maps,  as  opposed  to  rules,  have  specified  domain  and  range 
structures  and  it  is  possible  that  the  domain  of  F  is  in  fact  a  lattice. 

Category  theory  generalizes  the  notion  of  a  map  to  the  notion  of  a  “mor¬ 
phism”  .  A  morphism  is  like  a  map  in  that  it  has  a  domain  and  a  range  but 
the  domain  and  range  of  a  morphism  need  not  be  set  structures.  In  anticipa¬ 
tion  of  category  theory  we  define  a  “mapoid”  to  be  a  structure  with  domain 
and  range  slots.  A  map  is  a  mapoid  in  which  the  domain  and  range  slots  are 
filled  with  set  structures  and  where  the  rule  slot  is  filled  with  a  rule  between 
the  underlying  sets  of  the  domain  and  range. 

(defttpk  mapoid 

(LAMBDA  ((V  STRUCTURE)) 

(AID  (IS  ’DOMAII  (SIGIATURE-STKBDL  «)) 

(IS  ’RAIGE  (SXGIATURE-SYHBQL  B))))) 

(DEFTERJ!  (HAIE-RAPOID  (D  T1IIG)  (R  THUG)  (¥  STRUCTURE)) 

(ASSISI  ’ DOMAII  C 

(ASSIGI  ’RAISE  R  ¥)>) 

(DEFTERH  (DOMAII  (I  STRUCTURE)) 

(3TRUCTURE-CQHP0IEIT  »  ’DOMAII)) 

(DEFTEUI  (RAIGE  (B  STRUCTURE)) 

(STRUCTURE -COMPCIETT  B  ’RAIGE)) 
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(LEHm 

(FORALL  ( CD  THUG) 

(R  THUG) 

(¥  STRUCTURE)  ) 

(IS  (HASE-HAPOID  0  R  ¥> 
HAPOID))) 

(LEHHA 

(FORALL  (CD  THUG) 

(R  THUG) 

(H  STRUCTURE)) 

<«  0 

(DOHAII 

( HAKE-HA  POID  D  R  ¥))))) 


(II-COITEXT 

((LET-BE  D  THUG) 

(LET-BE  R  TIIIG) 

(LET-BE  V  STRUCTURE) 

(LET-BE  K  (HAIE-HAPOID  DRV)) 
(LET-BE  ¥2  (ASSIGI  ’R1IGE  R  V) ) 
(LET-BE  STH1  ’DOHAII) 

(LET-BE  SYH2  ’RAIGE) ) 

(VOTE  (IS  H  HAPOID)) 

(IQTE  (>  D  (DOHAII  H) ) ) 

(IOTE  (>  R  (RAIGE  H)))) 


(LEHHA 

(FORALL  ((D  THUG) 

(R  THUG) 

(W  STRUCTURE)) 

(-  R 

(RAIGE 

(HAIE-HAPOID  DRW))))) 


(DEFTERH  (HAIE-HAP  (G  SET-STRUCTURE) 

(H  SET-STRUCTURE) 

(R  (RULE-BETVEEI 
(U-SET  0) 

(U-SET  I)))) 

(HAKE-HAPOID 

0 

I 

(BASE-STRUCTURE  ’RULE  R))) 

(DEFTYPE  (HAP-BEIVEEI  (G  SET-STRUCTURE) 
<H  SET-STRUCTURE)) 
(HRITABLE-AS  (HARE-MAP  G  I  R) 

(R  (RULE-BETVEEI  (U-SET  G) 

(U-SET  I))))) 


AM.  MAPS 
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(LEHHi  (II-COITEIT 


(FORiLL  ((G  SET-STRUCTURE) 

(8  SET-STRUCTURE)) 
(EXISTS-SOHE 

(RULE-BETWEEI  (U-SET  G) 

(O-SET  B))))) 

(LEMHI 

(FORiLL  ( (G  SET-STRUCTURE) 

(H  SET-STRUCTURE) 

(R  (RULE-BETWEEI  (U-SET  G) 

(O-SET  H))5) 

(IS  R  ROLE))) 

(LEHHi 

(FORILL  ((H  SET-STRUCTURE) 

(G  SET-STRUCTURE) 

(R  (RULE-BETWEEI  (U-SET  G) 

(U-SET  H)}>) 

(»  (RULE-DOHill  R) 

(U-SET  G)))) 


((LET-BE  G  SET- STRUCTURE) 

(LET-8E  8  SET- STRUCTURE)) 

(II-COITEXT 

((LET-BE  SI  (U-SET  G)> 

(LET-BE  S2  (U-SET  H))) 

(IOTE 

(EXISTS-SOHE  (RULE-BETWEEI  SI  S2))) 
(II-COITEXT 

((LET-BE  R  (RULE-BETWEEI  SI  S2))) 
(IOTE  (IS  R  RULE)) 

(IOTE  (»  (RULE-DOHill  R)  (U-SET  G) ) ) 
(IOTE 

(FORiLL  ((X  (HEHBER-OF 

(RULE-DOHill  R>))) 
(IS  (iPPLY-RULE  R  I) 

(HEHBER-OF  (U-SET  H)>)))))) 


(LEHKi 

(FORILL 

((a  SET- STRUCTURE) 

(B  SET-STRUCTURE) 

(R  (RULE-BETWEEI  (U-SET  G) 

(U-SET  H))) 

(X  (HEHBER-OF  (RULE-DOHill  R)  )  )  ) 
(IS  (iPPLT-HiP  R  X) 

(HEHBER-OF  (U-SET  H))))) 


(DEFTYPE  (HiP-OI  (G  SET-STRUCTURE)) 
(VRITiBLE-iS  F 

(f  (HiP-asrrvEEi  a  »>> 

(I  SET-STRUCTURE)  )  ) 

(DEFTYPE  (HiP-IITO  (H  SET-STRUCTURE)) 
(WRITiBLE-iS  F 

(F  (HiP-BETVEEI  G  B)) 

(G  SET-STBUCTURE))) 

(DEFTYPE  HiP 

(WRITiBLE-iS  (HiP-BETVEEI  G  H) 

(G  SET-STRUCTURE) 

(H  SET-STRUCTURE))) 

(DEFTERH  (HiP-RULE  (H  HiP)) 

(STRUCTURE-CDHPOIEIT  H  ’RULE)) 


V  V*  V  V  V  V 
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r 

>] 

*1 


t- 

4 

P 


(LEKHA 

(FORALL  ((H  SET-STRUCTURE) 

(0  SET-STRUCIVRE) 

(R  ( RULE-BETVEEI 
(U-SET  G) 

(U-SET  3)))) 

(.=  (DOHAII  (HAKE-MAP  G  H  R)) 

G))) 

C  LERKA 

(FORALL  ((G  SET-STRUCTURE) 

(H  SET-STRUCTURE) 

(r  (rule-setveei  (u-set  g) 

(U-SET  H)))) 

(>  (RAIGE  (KAKE-KAP  GSR)) 

a))) 

(LERKA 

(FORALL  ((O  SET-STRUCTURE) 

(B  SET-STRUCTURE) 

(R  (RULE-BSTVEE* 

(U-SET  0) 

(U-SET  H)))) 

(«  (RAP-RULE  (HAKE-MAP  GBR)) 

R))) 


(II-CQITEIT 

( (LET-BE  G  SET-STFUCTURE) 
(LET-BE  H  SET-STRUCTURE) 
(LET-BE  R  (RULE-BETVEEI 
(U-SET  G) 

(U-SET  H))) 

(LET-BE  H  (HAKE-HIP  Cl  D) 
(let-be  b  (base-structure 

■RULE 

R)> 

(LET-BE  V  (ASSIGt  ’RAIGE  B  a>) 
(LET-BE  Sfflt  ’D0HAI1) 

(LET-BE  SYHS  ’RAISE) 

(LET-BE  SYH3  ’RULE)) 

(BOTE  <»  (DOHAII  H)  G)) 

(BOTE  («  (RAIGE  H)  H)> 

(BOTE  (“  (HAP-RULE  H)  R))) 


(LERKA 

(FORALL  (  -  SET-STRUCTURE) 

(G  SET-STRUCTURE) 

(H  (HAP-BETVEEI  G  H))) 
(»  G  (DOHAII  H>>)> 

(LERKA 

(FORALL  ((G  SET-STRUCTURE) 

(B  SET-STRUCTURE) 

(H  (HAP-BETVEE*  G  H))) 
(»  B  (RAIGE  H)))) 


(II-COITEIT 

((LET-BE  0  SET-STRUCTURE) 
(LET-BE  B  SET-STRUCTURE) 
(LET-BE  H  (HAP-BETVEEI  G  B)) 
(VRITE-AS  R  (HAIE-KAP  G  H  R) 
(R  (RULE-BETVEEI 
(U-SET  G) 

(U-SET  B))))) 

(IQTE  (*  (DOKAII  R)  0)) 

(BOTE  (*  (RAIGE  K)  R) )) 


(DEFTERH  (APPLY-HAP  (F  HAP) 

(X  (II-U-SET  (DOHAII  F)))) 
(APPLY-RULE  (HAP-BULE  F)  X)) 
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(LEHMA 

(FOR ALL  ((H  KIP)) 

(IS  (DOKill  K) 

SET-STRULTURE) ) ) 

(LEHHA 

(FORiLL  ( (K  HIP)) 

(=  ;rule-dohaii  (kip- rule  h)) 

CJ-SET  (DOHAII  H))))) 

(LEWU 

(FORiLL  ( (H  HIP)) 

(IS  (RilGE  H)  SET-STRUCTURE})) 

(LEHHA 

(FORiLL  ((H  HiP)) 

(IS  (KiP-RULE  K) 

(  RULE-BETS  EEI 

(U-SET  (DOHAII  H)) 

(O-SET  (RAIGE  H)))))) 

(LEKKi 

(FORiLL  ((K  KiP) 

(I  (Il-O-SET  (DOKill  K)))) 
(IS  (iPPLT-HiP  H  X) 

(Il-O-SET  (RilGE  H)) ) ) ) 


(If-COITEXT 

((LET-BE  I  SIP) 

( WRITE- iS  K  (JtiP-SETVEEI  G  H) 

(G  SET- STRUCTURE) 

(H  SET- STRUCTURE)) 

(VRITE-iS  K  (SiXE-MiP  GBR) 

(R  (RULE-BETVEEI  (U-SET  G) 

(U-SET  3)))) 

(LET-BE  I  (II-U-SET  (DOKill  H)))) 
(IOTE  (IS  (DOHill  H)  SET-STRUCTURE) ) 
(IOTE  («  (RULE-DOKiH  (HiP-R'JLE  H) ) 
(U-SET  (DOKill  H)))> 

(IOTE  (IS  (RilGE  H)  SET-STRUCTURE)) 
(IOTE  (IS  (KiP-RULE  10 
(RULE-BETVEEI 

(U-SET  (DOKill  K)) 

(U-SET  (URGE  H))))) 
(IOTE  CIS  (iPPLT-KIP  K  I) 

(II-U-5ET  (RAIGE  K))))) 


(DEFTYPE  (II-IUP-DOHill  (F  lUP)) 
(II-U-SET  (DOKill  F))) 

(DEFTYPS  (II-KiP-RifGE  (F  KiP)> 
(II-U-SET  (RilGE  F))) 


,*»***.  » •  * 
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APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(LEMHI 

(FORALL  ((H  HIP)) 

(IS  (U-SET  (DCHAII  M)) 
SET))) 

(LEMHI 

(FORALL  ( (H  HIP)) 

(*  (II-U-SET  (DOHAII  M)) 
(HEHBER-OF 

(U-SET  (DOHAII  H)))))) 

(LEMHI 

(FORALL  (  (H  HAP)) 
(EXISTS-SOHE 
(HEHBER-OF 

(U-SET  (DOHA II  H)))))) 

(LEMMA 

(FORALL  ((H  HAP)) 

(IS  (U-SET  (RAIGE  M)) 

SET))) 

(LEHHA 

(FORALL  <(X  HAP)) 

(»  (II-U-SET  (RAIGE  H)) 
(HEHBER-OF 

(U-SET  (RAIGE  H)))))) 

(LEHHA 

(FORALL  ((H  HAP)) 
(EXISTS-SOHE 
(HEHBER-OF 

(C-SET  (RAIGE  H)))))) 


(II-COITEXT 

((LET-BE  H  .UP)) 

(II-COITEXT 

((LET-BE  G  (DOHAII  H)) 

(LET-BE  S  (U-SET  G))) 

(IOTE  (IS  S  SET)) 

CIOTE  (»  (II-U-SET  G) 

(HEHBER-OF  S))) 

(IOTE 

(EXISTS-SOHE  (HEHBER-CF  S)>)) 
(II-CDITEXT 

((LET-BE  G  (RAIGE  M)  ) 

(LET-BE  S  (U-SET  G))) 

(IOTE  (IS  S  SET)) 

(IOTE  («  (II-U-SET  G) 

(HEHBER-OF  S))) 

(IOTE 

(EXISTS-SOHE  (HEHBER-OF  S))))) 


(IEHMA 

(FORALL  ((H  HAP)) 

(IS  (HAP-RLXE  H)  RULE))) 


(II-COITEXT 

((LET-BE  H  HAP) 

(LET-BE  R  (MAP-RULE  H)) 

(LET-BE  SI  (U-SET  (DOHAXI  H)>) 
(LET-BE  S3  (U-SET  (RAIGE  H)))) 
(IOTE  (IS  R  RULE))) 


(DEFTERH  (APPLY-HAP-TO-SET 
(F  HAP) 

(S  (SUBSST-Of  (U-SET  (DOHAII  F))))) 
(THE-SET-OF-ALL 

(WRITABLE-AS  (APPLY  HAP  f  I) 

(I  (HEHBER-OF  S))))) 


a*  v  ovk-v *’*  v.-  v/.v  \-v 
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(LEMMA 

(FORALL  ((«  MAP) 

(S  (SUBSET-OF 

(U-SET  (DOHAII  H))))) 
CIS  (1PPLY-MAP-TO-SET  H  S) 
(SUBSET-OF 

(U-SET  (RAISE  H)))D) 


(II-CDITEIT 

(CLET-BE  H  HAP) 

(LET-BE  DSET  <U-SET  (DOHAII  H))) 
(LET-BE  RSET  (U-SET  (RAIGE  M) )) 
(LET-aE  S  (SUBSET-CF  DSET)) 

(LET-BE  S2  (APPLY-HAP-TO-SET  H  S)) 
(PUSH-GOAL 

(IS  S2  (SUBSET-OF  RSET)))) 
(II-COITEIT 
((SUPPOSE 

(EXISTS-SOKE  (HEHBER-OF  S2))) 
(LET-BE  I  (MEMBER-OF  S2)) 
(WRITE-AS  X  (APPLY-MAP  K  Y) 

(Y  (MEMBER-OF  S))>> 

(IOTE-GOAL) ) 

(IOTE-GOAL)) 


(DEFTERM  (IMAGE  (F  HAP)) 

(APPLY-KAP-TQ-SET  F  (U-SET  (DOHAII  F>))) 


(LEMMA 

(FQRALL  <(M  MAP)) 

(-  (IMAGE  M) 

(THE-SET-OF-ALL 

(VRITABLE-AS  (APPLY-MAP  M  X) 
(I  (II-U-SET 

(DOHAII  H)))))))) 

(LEMMA 

CFORALL  ((M  MAP)) 

(EIIST3-50HE 

(HEHBER-OF  (IMAGE  H))))) 

(LEMMA 

(FORALL  ((M  MAP)) 

(IS  (IMAGE  M) 

(IOI-EHPTY-SUBSET-OF 
(U-SET  (RAIGE  M)))))) 


(II-COITEIT 

((LET-BE  H  MAP) 

(LET-BE  S  (U-SET  (UQHAII  H))) 

(LET-BE  S2  (IMAGE  M))) 

(IOTE 

(-  (IMAGE  M) 

(THE-SET-OF-ALL 

(VRITABLE-AS  (APPLY-MAP  M  I) 

(X  (II-U-SET 

(DOHAII  H>)))))) 

(II-COITEIT 

((LST-BE  S3  (U-SET  (RAIGE  H>)) 
(LET-BE  X  (II-U-SET  (DOHAII  N»>> 
(IOTE 

(EIISTS-SOHE  (MEMBER-OF  (IMAGE  H))>) 
(IOTE 

(IS  S2  (IOI-EHPTY-SUBSET-OF  S3))))) 


(DEFTERM  (PREIMAGE  (F  MAP) 

(S  (SUBSET-OF 

(U-SET  (RAIGE  F)))>> 
(THE-SET-OF-ALL  (I  (HEHBER-OF 

(U-SET  (DOHAII  F)))/ 
(IS  (APPLT-MAP  F  I)  (MEMBER-OF  S)>>) 


^  r«*  *.  ■f*J- 


*  *JC lT w 


268 


APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(LEHHA 

(FORALL  <<F  IUP) 

(S  (IOI-EHPTY-SUBSET-OF 
(HUGE  F)))) 

(IS  S 

(SUBSET-OF 

(U-SET  (RAIGE  F) ) ) ) ) ) 

(LEHHA 

(FORALL  <(F  HIP) 

(S  (IOI-EHPTY-SUBSET-OF 
(HUGE  F)))) 

(EIISTS-SOHE  (HEHBER-OF  S)))) 


(LEHHI 

(FORALL  ( (F  HIP) 

(Y  (HEHBER-OF  (HUGE  F)))) 
(EXISTS-SQHE 
(HEHBEJ-OF 

(PEE HUGE  F  (HIKE-SET  Y)))))) 

(LEHHI 

(FORALL  ((F  HAP) 

(Y  (HEHBER-OF  (IMAGE  F)))) 
(•  (PRE IMAGE  F  (MAKE-SET  Y)) 
(THE-SET-OF-ALL 

(X  (II-O-SET  (DOHAII  F))) 
(-  (APPLY-MAP  F  I)  Y))))) 


(II-COITEIT 

((LET-BE  F  MAP) 

(LET-BE  ISET  (IMAGE  F)) 

(LET-BE  S  (IOI-EHPTY-SUBSET-OF 
(IMAGE  F))) 

(LET-BE  RSET  (U-SET  (RAIGE  F)))) 
(BOTE  (IS  S  (SUBSET-OF  RSET))) 

(IOTE  (EXISTS-SOME  (MEMBER-OF  S)  ) )  ) 


(II-COITEIT 

((LET-BE  F  HAP) 

(LET-BE  ISET  (IMAGE  F)> 

(LET-BE  Y  (MEMBER-OF  ISET)) 

(LET-BE  SY  (MAKE-SET  Y)> 

(LET-BE  PRE-Y1  (PREIMAGE  F  SY)) 

(LET-BE  PRE-Y2 

(THE-SET-OF-ALL  (X  (II-U-SET 

(DOHAII  F))) 

(-  (APPLY-HAP  F  X)  Y)))> 
(II-COITEXT 

( (VRITE-AS  Y  (APPLY-HAP  F  I) 

(I  (II-U-SET  (DOHAII  F))))) 

(IOTE 

(EIISTS-SOHE  (HEHBER-OF  PRE-Yl)))) 

(II-COITEXT 

( (PWSI-GOAL  (•  PRE-Yl  PRE-Y2))) 
(II-COITEXT 

((LET-BE  X  (HEHBER-OF  PRE-Yl)) 
(LET-BE  FI  (APPLY-HAP  FI))) 

(IOTE  (IS  PRE-Yl  (SUBSET-OF  PRE-Y2) ) ) 
(IOTE 

(EIISTS-SOHE  (HEHBER-OF  PRK-Y2)))) 
(II-COITEIT 

( (LET-BE  X  (HEHBER-OF  PRE-Y2) ) ) 
(IOTE-GOAL) )) ) 


(DEFTYPE  IIJECTIOI 
(LAMBDA  ((F  HAP)) 

(IS  (HAP-RULE  F) 

IIJECTIVE-RULE))) 
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(LEHHA 

(FORALL  (  (H  HAP)) 

(«>  (FORALL  ((X  (HEHBER-OF 

(IMAGE  H)))) 

(IS  (PREIHAGE  H  (HAIE-SET  X)) 
SIIGLETDB-SET)  ) 

(IS  H  IIJECTIOl) )) ) 


(H-COITEIT 

(  (LET-BE  H  MAP) 

(SUPPOSE 

(FORALL  ((T  (MEMBER-OF  (IMAGE  M)))) 

(IS  (PREXHAGE  H  (MARE-SET  Y) ) 
SIIGLETOI-SET))) 

(PUSH-GOAL  (IS  M  IIJECTIOl))) 

(II-COITEXT 

((LET-BE  R  (MAP-RULE  M) ) 

(LET-BE  SI  (U-SET  (DOHAII  H))) 

(LET-BE  S2  (U-SET  (RAIGE  H))) 

(LET-BE  X  (II-U-SET  (DOHAII  H))) 

(LET-BE  MI  (APPLY-NAP  MX))) 

(II-COITEXT 

((LET-BE  PRE-PI 

(PREIMAGE  H  (HAKE-SET  HI)))) 

(IOTE  (EXACTLY-OIE  (HEHBER-OF  PRE-HI)))) 
(II-COITEXT 

((LET-BE  X2  (II-U-SET  (DOHAII  H)) 

(»  (APPLY-RULE  R  12) 

(APPLY -HAP  HI))) 

(LET-BE  13  (II-U-SET  (DOHAII  M)) 

(-  (APPLY-RULE  R  X3) 

(APPLT-HAP  H  I)))) 

(IOTE-GOAL)))) 


(DEFTYPE  (IIJECTIOI-BETVEEI  (0  SET-STRUCTURE) 

(B  SET-STRUCTURE)) 
(AID-TYPE  (HAP-BETWEE*  8  B) 

IIJECTIOl)) 

(DEFTYPE  SURJECTIOI 
(LAMBDA  ((F  HAP}) 

(■  (IMAGE  F) 

(U-SET  (RAISE  F))») 

(DEFTYPE  (SURJECTX0I-BETYEE1  (G  SET-STRUCTURE) 

(B  SET- STRUCTURE)) 

(AID-TYPE  (HAP-BETHEEI  G  H) 

SURJECTIOI)) 

(DEFTYPE  BIJECTIOI 
(AID-TYPE  SURJECTIOI 
IIJECTIOl)) 

(DEFTYPE  (BIJSCTIOI-BETtlEEI  (G  SET -STRUCTURE) 

(H  SET-STRUCTURE)) 
(AID-TYPE  (HAP-BETHEEI  G  H) 

BIJECTIOI)) 

(DEFTERH  (IDEITITY-HAP  (W  SET-STRUCTURE) ) 
(HARE-MAP 

V 

V 

(TIE-RULE  ((I  (II-U-SET  «>)) 

I))) 
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APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(LEMHI 

(FOSULL  ((¥  SET-STRUCTURE)  ) 

(IS  (IDEITITY-IUP  W) 

(HAP-BETUEEI  V  «)))) 

(LEMX1 

(FORALL  (Of  SET-STRUCTURE) 

(X  (MEMBER-OF  (U-SET  V)  )  )  ) 
(«  (APPLY-HAP  (IDE1TITY-H1?  II)  I) 
I))) 


(II-COITEXT  ( (LET-BE  ¥  SET-STRUCTURE) 
(LET-BE  i 

(THE-RULE  ((I  CII-U-SET  «))) 
X)) 

(LET-BE  S  (U-SET  ¥)) 

(LET-BE  I  (REMBER-OF  S)) 
(LET-BE  I  (IDEI7ITY-MAP  ¥))) 
(IOTE  (IS  T.  (HIP-BETVEEI  W  ¥))) 

(IOTE  <»  (APPLY -HAP  I  I)  I))) 


(LEMMA 

(FORALL  (  (V  SET-STRUCTURE)) 

(IS  (IDE1TITY-MAP  ¥)  BIJECTID*))) 


(II-COMTEXT 

( (LET-BE  «  SET-STRUCTURE) 

(LET-BE  I  (IDEITITY-KAP  ¥)) 
(PUSH-GOAL  (IS  I  BIJECTXOl))) 

(II-COITEXT 

((PUSH-GOAL  (IS  I  SURJECTIOD) ) 
(II-COITEXT 

((LET-BE  ISET1  (IMAGE  I)) 

(LET-BE  I SETS  (U-SET  ¥)) 
(PUSH-GOAL  (■  ISET1  ISET2))) 
(II-COITEXT 

((LET-BE  I  (HEHBER-OF  ISET2))) 
(BOTE-GOAL) ) ) 

(IOTE-GOAL)  ) 

(II-COITEXT 

((PUSH-GOAL  (IS  I  II JECTIOB) ) 
(LET-BE  X  (II-U-SET  (EAICE  I))) 
(LET-BE  PRE-X 

(PREIMAGE  I  (MAKE-SET  I))) 
(LET-BE  PREI1  (MEMBER-OF  PRE-I) ) 
(LET-BE  PREI2  (MEMBER-OF  PRE-I))) 
(BOTE  (EXACTLY-OHE 

(MEMBER-OF  PRE-X))) 
(IOTE-GOAL)) 

(IOTE-GOAL)} 


(LEMMA  (EXISTS-SOHE  IHJECTIQI)) 


(II-COITEXT  ((LET-BE  M  BIJECTIOI)) 
(IOTE  (EXISTS-SOHE  IIJECTIOI))) 
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(LEHHA 

(FORALL  (CH  IIJECTIOI) 

(Y  (HEKBER-OF  (IMAGE  H)))) 
(EIACTLY-CIE  (I  (II-U-SET 

(DOHAII  H))} 

(»  (APPLY-HAP  H  I) 

Y)))) 


(IB-COITEZT 

((LET-BE  H  IIJECTIOI) 

CLET-BE  Y  (HEKBER-OF  (HUGE  K))> 

(PUSH-GOAL 

( EXACTLY ~OIE  (I  (II-U-SET  (DCRAII  H))  ) 

(»  (APPLY-HAP  H  X) 

Y)))) 

(II-COITEXT 

(CLET-BE  R  (MAP-RULE  H) ) 

(WRITE-AS  R  (IIJECTIVE-RULE-BETWEEI  DSET  S3) 
(DSET  SET) 

(S3  SET))) 

(II-COITEXT 

((WRITE-AS  Y  (APPLY-HAP  H  I) 

(X  (II-U-SET  (DOHAII  H))))) 

(IOTE  (EXISTS  (S2  (II-U-SET  (DOBAII  H))) 

(-  (APPLY-HAP  K  S2) 

Y)))) 

(II-COITEXT 

((LET-BE  11  (II-U-SET  (DOHAII  H)) 

(«  (APPLY-BAP  H  XL)  Y)) 

(LET-BE  12  (II-U-SET  (DOHAII  H)) 

(-  (APPLY-HAP  H  12)  Y))) 

(IOTE-OOAL)))) 


(DEFTYPE  (STRUCTURE -CO ITAIIIIC  (S  SET)) 
(LAMBDA  ((W  SET-STRUCTURE)) 

(IS  S  (SUBSET-QF  (U-SET  «>>)> 


(LEMMA  (II-COITEXT 

(FDRALL  ((S  IOI-EHPTY-SET) )  ((LET-BE  S  IOI-EHPTY-SET) 

(IS  (HAKE-SET- STRUCTURE  S5  (LET-BE  W  (KAIE-SET-STRUCTURE  S))) 

(STRUCTURE -CO  IT  AXIX1G  S))))  (IOTE  (II  V  (STRUCTURE -COITAIIIIG  S)))) 


(DEFT ERA  (SET'-RAIGE 
(F  HAP) 

(V  (STRUCTURE- CO ITAIIIIG  (IMAGE  F)))) 
(MAKE-HAP  (DOHAII  F)  V  (MAP-RULE  F))) 


(LEHHA 

(FORALL  ((F  MAP)) 
(EXISTS-SOHE 

(STRUCTURE-CORTAIIIIG 
(IMAGE  F))))) 


(LEHHA 

(FORALL  C (F  HAP) 

(W  (STRUCTURE-GO ITAIIIIG 
(IMAGE  F)))) 

(IS  W  SET-STRUCTURE))) 


(II-COITEXT  ((LET-BE  F  HAP)) 

(II-COITEXT  ((LET-KE  ISET  (IMAGE  F))) 

(IOTE 

(EXISTS-SOHE 

( STRUCTURE -COITAIIIIG  (IMAGE  F)))) 
(II-COITEXT 
((LET-BE  W 

(STRUCTURE -COITAIIIIG  (IMAGE  F)))) 
(IOTE  (IS  W  SET-STRUCTURE))))) 


APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(LEHHA 

(FORALL  CCF  (UP) 

(»  (STRUCTURE-COITAIIIIG 
(HUGE  F> ) > 

(I  (HEHBER-OF  (HUGE  F)))) 

(IS  I  (II-U-SET  H)))) 

(LEHHA 

(FORALL  ((F  RAP) 

(W  ( STRUCTURE- G01TAIII AG 
(HUGE  F)))) 

(IS  (HAP-RULE  F> 

(RULE-BETBEEI  (O-SET  (DOHAII  F)) 
(U-SET  »))))) 

(LERKA 

(FORALL  ((F  HAP) 

(V  (STRUCTURE-COITAIIIIG 
(HUGE  F)))) 

(IS  (SET ! -RAICE  F  V) 

(HAP-BETVEEI  (DOHAII  F)  «)))) 

(LE1QU 

(FORALL  ((F  HAP) 

(V  (STRUCTURE-COITAIIIIG 
( IMAGE  F)))) 

(IS  (SET! -RAISE  F  V) 

RAP))) 

(LERKA 

(FORALL  ((F  (UP) 

(W  (STRUCTURE-COITAIIIIG 
(HUGE  F)))) 

(«  (DOHAII  (SET ! -RAISE  F  ID) 

(DOHAII  F) )) ) 

(LERKA 

(FORALL  ((F  MAP) 

(*  (STRUCTURE-COITAIIIIG 
(HUGE  F)))) 

(■  (RAIGE  (SET! -HUGE  F  «)) 

W))) 

(LEHHA 

(FORALL  ( (F  HAP) 

(H  (STRUCTURE-COITAIIIIG 
(IHAGE  F)))) 

(■  (HAP-RULE  (SET! -RAIGE  F  ¥)) 
(HAP-RULE  F)))) 

(LEHHA 

(FORALL  (  (F  HAP) 

(V  (STRUCTURE-COITAIIIIG 
(IMAGE  F)>) 

(I  (II-U-SET 
(DOHAII 

(SET! -RAIGE  F  *))))) 

(■  (APPLT-HAP  (SETS-RAIOE  F  B) 

I) 

(APPLT-HAP  F  X)))) 


(II-COITEXT 

((LET-BE  F  HAP) 

(CLET-BE  « 

(STRUCTURE-COITil IIIG 
(IHAGE  F))) 

(LET-BE  R  (HAP-RULE  F)))) 

(II-COITEIT 

((LET-BE  X  (HEHBER-OF 

(IMAGE-OF  F))) 

(LET-BE  SI  (U-SET  V) ) 

(LET-BE  S2  (IHAGE  F))) 

(I0TE  (IS  X  (II-U-SET  V))>) 

(II-COITEIT 

((PUSH-COAL 

(IS  R  (RULE-BETVEEI 

(U-SET  (DOHAII  F)) 

(U-SET  ¥)))) 

(LET-BE  DSET  (U-SET  (DOKAII  F))) 
(LET-BE  USET  (U-SET  W)) 

(LET-BE  X  (HEHBER-OF  DSST) ) 

(LET-BE  RJ  (APPLT-RULE  R  I))) 
(IOTE-GOAL)) 

(II-COITEXT 

((LET-BE  F2  (SET! -RAIGE  F  V))) 
(II-COITEIT 

((LET-BE  DSTRUCT  (DOHAII  F))) 

(IOTE 

(IS  F2  (HAP- BETBEEI  DSTRUCT  U))) 
(IOTE  (IS  FL  HAP)) 

(IOTE  (■  (DOHAII  F2)  (DOHAII  F))) 
(IOTE  (*  (RAIGE  F2)  V)) 

(IOTE  (•  (HAP-RULE  F2) 

(HAP-RULE  F)))> 

(II-COITEXT 

((LET-BE  X  (II-U-SET  (DOHAII  F2)))) 
(IOTE  (»  (APPLT-HAP  F2  X) 

(APPLT-HAP  F  I)))))) 
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(LEMHA 

(FGSULL  ((F  HAP) 

(H  (STHUCTUHE-CQITAIIIIG 
(IMAGE  F)))) 

(=  (IMAGE  F) 

(IMAGE  (SET!-RAIGE  F  «))))) 


(II-C0ITE1T 

((LET-BE  F  HAP) 

(LET-BE  V  (STRUCTUBE-COITAIIIMG 
(IMAGE  F))) 

(LET-BE  FI  (SETI-BUIGE  F  W)) 
(LET-BE  ISET  (IMAGE  F)) 

(LET-BE  ISET2  (IMAGE  F2)) 
(PUSH-GOAL  (»  ISET  ISET2))) 
(II-CQITEXT 

( (LET-BE  I  (MEHBER-OF  ISET)) 
(BHITE-AS  X  (APPLY-HAP  F  Y) 

(Y  (II-U-SET  (DOHAIV  F))))) 
(HOTE  (IS  ISET  (SUBSET-OF  ISET2)))) 
(II-COITEXT 

((LET-BE  I  (MEHBEB-OF  ISET2) ) 
(VUITE-AS  X  (APPLY-MAP  F2  Y) 

(Y  (II-U-SET  (DOHAIX  F2))))) 
(IOTE  (IS  ISET2  (SUBSET-OF  ISET)))) 
(IOTE-GOAL) ) 
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A. 4 


Relations,  Choice,  and  Relation  Struc¬ 
tures 


Relations  are  implemented  as  non- deterministic  rules.  More  specifically,  a 
relation  is  implemented  as  a  rule  that  maps  an  object  to  a  set  of  “possible 
values”.  Objects  x  and  y  are  related  under  the  relation  r  just  in  case  y  is  a 
member  of  the  set  r(x). 

A  relation  r  is  “total”  just  in  case  for  all  x  in  the  rule  domain  of  r  the  set 
r(x)  is  not  empty.  A  choice  function  for  a  total  relation  r  is  a  rule  r'  such 
that  for  all  x  in  the  rule  domain  of  r,  r'(x)  is  a  member  of  r(x).  The  axiom  of 
choice  (as  stated  here)  says  that  every  total  relation  has  at  least  one  choice 
function. 

Transitive,  symmetric,  antisymmetric,  reflexive  and  irreflexive  relations 
are  defined  in  the  standard  ways  and  some  standard  facts  are  proven,  e.g.  a 
transitive  irreflexive  relation  is  antisymmetric. 

A  relation  structure  is  a  set  structure  with  a  slot  that  contains  a  relation 
on  the  underlying  set.  This  section  contains  a  surprising  number  of  trivial 
facts  about  relation  srtuctures. 


276 


APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(DEFTY.S  RELATIOI 
(LAMBDA  <(R  RULE)) 

(FORALL  ((I  (MEMBE1-0F  (HOLE -DOM II  R)))) 

(IS  (APPLY-ROLE  k  X)  SET)))) 

(DEFTYPE  (RELATED-TD  (I  (MEMBER-OF  (RULE-DOMAII  8))) 
(8  RELATIOD) 

(MEHBER-OF  (APPLY-R'JLE  8  I))) 

(DEFTYPE  (RELATIOI-RAIGE  (R  RELATIOD) 

(FAHILY-UIIOI  (RULE-RAIGE  R)>) 

(DEFTYPE  TOTAL-RELATTOI 
(LAMBDA  ((8  RELATIOD) 

(FORALL  ((X  (KEMBER-OF  (RULE-DOMAII  8)))) 
(EXISTS-SOME  (RELATED-TO  I  1))))) 

(DEFTYPE  (CHOICE-FBJCTIOI-FOR  (8  TOTAL- RELATIDI ) ) 
(LAMBDA  ((82  ( RULE - E ETVEEI 

(RULE-DOMAII  8) 

(RELATIOI-RAIGE  8)))) 

(FORALL  (<X  (HEMBE8-OF  (RULE-DOMAII  81)))) 

(IS  (APPLT-RULE  82  X) 

(HEMBER-OF  (APPLT-RULE  8  X)))))) 


;  tba  uln  at  cRoic«: 

(AXIOM 

(FORALL  ((R  TOTAL-RELATIOI)  ) 

(EXISTS-SOME  (CHOICE-FUICTIOI-FOR  R)))) 


(DEFTTPE  (RELATIOI-OI  (S  SET)) 
(RULE-BETJEEI  S  (POWER-SET  S))) 


(LEMMA 

(FORALL  <(S  SET)) 

(EIISTS-SOME  (RELATIOI-OI  S>))) 

(LEMMA 

(FORALL  <(S  SET) 

(R  (RELATIOI-OI  S))) 

(IS  R  RELATIOD)) 

(LEMMA 

(FORALL  ((3  SET) 

(R  (RELATIOI-OI  S>>) 

(»  (RULE-DOMAII  8)  S))) 


ai-comxr 

((LET-RE  S  SET) 

(LET-BE  P  (POWER-SET  S))) 

(IOTE  (EXISTS-SOME  (RELATIOI-OI  S))) 

(II-C3ITEST  ((LET-BE  R  (RELATIOI-OI  S))> 
(II— COITEZT  ((PUSH-GOAL  (IS  R  RELATIOD)) 
(II-CCITEIT 
((SUPPOSE 

(EXISTS-SOME  (HEMBER-OF  S))) 
(LET-BE  X  (HEMBER-OF  S)) 

(LET-BE  T  (APPLY-RULE  R  X))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 


(IOTE  (»  (RULE-DOMAII  R)  S)))) 


A.-!.  RELATIOXS.  CHOICE.  A  XL)  R  EL  ATI  OX  STRCCTl'RES 


(LEMMA 

(FORALL  <(S  IOI-EHPTY-SET) 

<R  RELATIOI)) 

(=>  (AID  (FORALL  ((1  (MEKBE8-OF  S))> 
(IS  (APPLY-RULE  R  X) 
(SUBSET-OF  S>)) 

(»  (RULE-DOMAII  X)  S)) 

(IS  R  (RELATIOI-OI  S))))) 


(II-COITEXT 

((LET-BE  S  IOI-EHPTY-SET) 

(LET-BE  R  RELATIOI) 

(SUPPOSE  <=  (RULE-DOIUII  R)  S)) 
(SUPPOSE  (FORALL  <(X  (MEHBER-OF  S))) 
(IS  (APPLY-RULE  R  I) 
(SUBSET-OF  S)))) 

(PUSH-GOAL  (IS  R  (REL1TIOH-OI  S)))) 
(II-COITEXT  ((LET-BE  X  (HEHBER-OF  S)) 
(LET-BE  Y 

(APPLY-RULE  R  I)) 
(LET-BE  D  (POWER-SET  S))> 
(IOTE-GOAL))) 


(LEMMA 

(FORALL  ((S  IOI-EHPTY-SET) 

(X  (HEHBER-OF  S>) 

(R  (RELATIOI-OI  S>) 

(Y  (RELAIED-TO  It))) 
(IS  Y  (HEHBER-OF  S)))) 


(H-COITEXT 

((LET-BE  S  IOI-EHPTY-SET) 

(LET-BE  R  (RELATIOI-OI  S)) 

(LET-BE  X  (MEHBER-OF  S>) 

(PUSH-GOAL  (IS-EVERY  (RELATED-TO  X  R) 
(MEHBER-OF  S)>)) 

(II-COITEXT 

((SUPPOSE 

(EXISTS-SOHE  (RELATED-TO  X  R)  )  ) 
(LET-BE  Y 

(RELATED-TO  I  R>> 

(LET-BE  P  (POWER-SET  S)) 

CLET-BE  S2 

(APPLT-RULE  R  X))) 
(IOTE-GOAL) > 

(IOTE-GOAL)) 


(DEFTERM  (PROWIDE-RELATIOI  (R  (RELATIOI-OI  (U-SET  W))) 

(W  SET-STRUCTURE)) 

(ASSICI  'RELATIOI  R  W)) 

(DEFTYPE  RELATIOI-STRDCTURE 
(LAMBDA  ((W  SET-STRUCTURE)) 

(AID  (IS  'RELATIOI 

(SIGIATURE-SYMBOL  V)) 

(IS  (STROCTURE-COMPOIEIT  W  'RELATIOI) 
(RELATIOI-OI  (U-SET  ¥)))))) 

(DEFTERM  (GET- RELATIOI  (S  RELATIOI- STRUCTURE)) 
(STRUCTURE-COKPOIEIT  S  ’RELATIOI)) 


Y,  v,  v„"> 


vyv»,v  ,v,,v-„V’ 


,V  "vP  '«*  P  P  v 


«•  f"  »  V* 


H- 
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(LERKA 

(FORALL  ((¥  SET- STRUCTURE)) 
(EJISTS-SOKE 

(RELATIQI-OI  (B-SET  ¥)>)>> 

(LERKA 

(FCRALL  ((¥  SET-STRUCTURE) 

(R  CRELATIOI-Ol  (U-SET  ¥)))) 
(IS  (PROVIDE-RELATIOI  R  M) 
RELATIOI-STRUCTURE) )) 

(LERKA 

(FORALL  ((¥  SET-STRUCTURE) 

(R  (RELATIOR-OI  (U-SET  ¥))>) 
(»  (GET-RELATIOI 

(PROVIDE-RELATIOI  R  ¥)> 

E.))) 


(II-COITEIT  ((LET-BE  U  SET-STRUCTURE) 
(LET-BE  S  (U-SET  ¥>)) 

(IOTE 

(EIISTS-SOHE  (RELATIOI-OI  (O-SET  ¥>))) 
(II-COITEIT 

((LET-BE  R  (RELATIOI-OI  (U-SET  ¥))> 
(LET-BE  V2  (PROVIDE-RELATIOI  R  «)) 
(LET-BE  SYRl  >  RELATIOI) 

(LET-BE  SYH2  >U-SET)) 

(IOTE  (IS  ¥2  RELATIOI-STRUCTURE)) 

(IOTE  (»  (CET-RELATIOI  ¥2)  R)) 

(IOTE  (»  (U-SET  ¥2)  (U-SET  ¥))))) 


(LEXKA 

(FORALL  ((¥  SET- STRUCTURE) 

(R  (RELATIOI-OI  (U-SET  ¥)))) 
(  =  (U-SET  (PROVIDE-RELATIOI  R  ¥) ) 
(U-SET  ¥)))) 


(DEFTERH  (HAAE-RELATI 01-STRUCTURE  (X  (RELATIOI-OI  S)) 

(S  SET)) 

(PROVIDE-RELATIOI  I  (KAAE-SET- STRUCTURE  S))) 


(LERKA 

(FORALL  C(S  IOI-EHPTT-SET) 

(R  (RELATIOI-OI  S))) 

(IS  (MARE- RELATIOI- STRUCTURE  R  S) 
RELATIOI-STRUCTURE) ) ) 

(LERKA 

(FCRALL  ((S  IOI-EHPTT-SET) 

(R  (RELATI3I-0I  S))) 

(*  (GET-RELATIOI 

(HAKE-IELATTOI-STRUCTURE  R  S)> 
R))) 


(II-COITEXT 

((LET-BE  S  IOI-EHPTT-SET) 

(LET-BE  %  (RELATIOI-OI  S) ) 

(LET-BE  *  (HAIE-IELATIOI-STRUCTURE  E  S)> 
(LET-BE  ¥2  (RAIKSET- STRUCTURE  S))> 

(IOTE  (IS  ¥  RELATIOI-STRUCTURE) ) 

(IOTE  («  (CET-RELATIOI  ¥)  I)) 

UOTE  (»  (U-SET  ¥)  S))) 


(LEKHA 

(FORALL  ((S  IOI-EHPTT-SET) 

(I  (RELATIOI-OI  S))) 

(»  (U-SET 

(KAtE-RELATTOI-STRUCTURE  1  S)> 
S))) 


(DEFTER*  (RESTRICT- RELATIOI -STRUCTURE 
(I  RELATIOI- STRUCTURE) 

(S  (IOI-EKPTT-SUBSET-QF  (U-SET  R))>) 
(HAIS-RELATIOI -STRUCTURE 

(RESTRICT -RELATIOI  (GET-RELATIOI  R)  S)  S)) 


R  ELAT  IOSS.  CHOICE.  ASD  R  EL  AT  IDS  STRUCTURES 


(LEMMA  (II-COITEIT 


(F0R1LL  (  (R  RELATIQI) 

(S2  (SUBSET-OF 

(RULE- DOHA I*  a)))) 

(IS  CaESTRICT-RELATIOI  R  S2) 
(RELATIC1-OI  S2) ) ) ) 

(LEMMA 

(fcrall  ((a  relatioi) 

(52  (SUBSET-CF 

(KULE-DOHAII  R) )  ) 

(II  (MEMBER-OF  S2)) 

(12  (MEMBER-OF  S2>3) 

(IFF 
(IS  It 

(RELATED-TO  12  R)  ) 

(IS  It 

(RELATED-TO  12 

(RESTRICT-RELATIOI  R  S2)))))> 


((LET-BE  R  RELATIOI) 

(LET-BE  S  (RULE-DOM1II  R)) 

(LET-BE  S2  (SUBSET-OF  S>) 

(LET-BE  R2  (RESTRICT-RELATIOI  R  S2>>) 

(Il-COITEIT 

( (PUSH-GOAL  (IS  Rl  (RELATIOI-CJ  S2)))) 
(II-CCITEXT 
( (SUPPOSE 

(EIISTS-SOME  (MEMBER-OF  S2))> 
(LET-BE  I  (MEMBER- OF  S2)> 

(LET-BE  S3  UPPLY-RULE  R  I>) 

(LET-BE  S4  UPPLY-RULE  R2  I))) 
(IOTE-GOAL)) 

(II-COITEIT 

((SUPPOSE 

(IOT 

(EXISTS-SOME  (MEKBER-OF  S2>))> 
(LET-BE  P  (POWER-SET  S2)>) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 


(II-COITEIT 

( (P’JSR-GOIL 

(FOR1LL  ((X  (MEMBEH-DF  S2)) 

(Y  (MEHBER-OF  S2))) 

(IFF  (IS  I  (RELATED-TO  Y  R>> 

(IS  I  (RELATED-TO  Y  R2>)>>>) 

(II-COITEIT 

((SUPPOSE 

(EXISTS-SOME  (MEMBEB-OF  S2>>) 
(LET-BE  X  (MEMBER-OF  S23) 

(LET-BE  T  (HEXBER-OF  S23) 

(LET-BE  SR  (APPLY-RULE  IT)) 

(LET-BE  SR2  UPPLY-RULE  R2  Y))) 
(II-COITEIT 

((SUPPOSE  (IS  X  (RELATED-TO  Y  !>))) 
(lOTE-COlL)) 

(IOTE-GCAL) ) 

(IOTE-GOAL) )) 
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2S0 


(11-comrr  ((let-be  »  relatioi-structure) 
(LET-BE  S  (U-SET  tf  ))) 

(lore 

(E1ISTS-S0HE 

(IOI-EHPTY-SUBSET-OF  (U-SET  H)  )  )  ) 
(II-COITEIT 

(CLET-BE  S2  (SOI- EMPTY- SUBSET- OF  S))) 
(IDTE  (IS  SI  SOI-EHPTY-SET) ) 
(II-CQITEXT 
((LET- BE  R 

(RESTRICT-RELATIOI 
(GET-RELATIOI  tf ) 

SI)) 

(LET-SE  R2  (GET-RELATIOI  tf))) 


(LEHHA 

(FQRALL  ((tf  RELATIOI-STRUCTURE)) 
(EXISTS-SOHE 

(IOI-EMPTY-SUBSET-OF 
(U-SET  tf))))) 

(LEHHA 

(FORALL  ((tf  RELATIOI-STRUCTURE) 

(S2  (J0S-EHPTY-SU3SET-0F 
(U-SET  tf)))) 

(IS  S2  IOI-EHPTY-SET) ) ) 

(LEHHA 

(FORALL  ((tf  RELATIOI-STRUCTURE) 

(S2  (IOI-EXPTY-SUBSET-OF 
(U-SET  tf)))) 

(IS  (RESTRICT-RELATIOI 
(GET-RELATIOI  tf) 

S2) 

(RELATIOI-OI  32)))) 

(LEHHA 

(FORALL  <(«  RELATIOI-STRUCTURE) 

<S2  UOI-EHPTY-SUBSET-OF 
(U-SET  tf))) 

(XI  (HEHBER-OF  S2)) 

(12  (HEHBER-OF  S2))) 

(IFF 
(IS  II 

(RELATED-TO  X2 

(OET-RELATIOI  «))) 

(IS  XI 

(RELATED-TO  X2 

(RESTRICT-RELATIOI 
(CET-RELATIOI  tf) 

32)))))) 


(IDTE  (IS  (RESTRICT-RELATIOI 
(GET-RELATIOI  tf) 

S2) 

(RELATIOI-OI  S2))) 

(IOTE 

(FORALL  ((7:1  (HEHBER-OF  S2)) 

(X  (HEHBER-OF  SI))) 

(IFF 
(IS  X 

(REJ  ATED-TD  7:1  (GET-RELATIOI  «))) 
(IS  X 

(RELATED-TO  7:1 

(RESTRICT-RELATIOI 
(GET-RELATIOI  tf) 
S2))))))))) 


A.l.  RELATIONS.  CHOICE.  AM)  RELATION  STRUCTURES 


•K 


(II-COITEIT 

< (LET-BE  ¥  RELATIOI-STRUCTURE) 

(LET-BE  S  (U-SET  V)) 

< LET-BE  32  (IOI-EMPTY-SUBSET-OF  S)) 

(LET-BE  R 

(RESTRICT-RELATIOI  (GET-RELATIOB  ¥)  S2>) 
(LET-BE  ¥2 

(RESTRICT-RELATIOI-STRUCTURE  W  S2))) 


(LEMMA 

(FORALL  ((¥  RELATIOI-STRUCTURE) 

(S2  (BOB -EMPTY- SUBSET-0 F 
(U-SET  ¥)))) 

CIS  (RESTRICT-RELATIOI-STRUCTURE 

V 

S2) 

RELiTIOI-STRUCTURE) ) ) 

(LEMMA 

(FORALL  ((¥  RELiTIOI-STRUCTURE) 

(S2  (IOI -EMPTY-SUBSET -OF 
(U-SET  ¥)))) 

(=  (GET-RELATIOI 

(RESTRICT-RELATIOI-STRUCTURE 

V 

S2) ) 

(RESTRICT-RELATIOI 

COET-RELATIOI  U)  S2)))) 

(LEMMA 

(FORALL  ((¥  RELATIOI-STRUCTURE) 

($2  (IOS-EHPTY-SUBSET-OF 
(U-SET  «)))) 

(*  (U-SET 

(RESTRICT-RELATIOI-STRUCTURE 

¥ 

S2) ) 

S2)  ) ) 


(LEMMA 

(FORALL 

( (V  RELATIOI-STRUCTURE) 

(S2  (IOI-EMPTY-SUBSET-OF 
(U-SET  ¥))) 

(X  (II-U-SET 

(RESTRICT-RELATIOI-STRUCTURE 

U 

S2) ) ) ) 

(IS  I  (II-U-SET  ¥)))) 


(IOTE  (IS  (RESTRICT-RELATIOI-STRUCTURE  ¥  S2) 
RELATIOI-STRUCTURE) ) 

(IOTE  (=  (GET-RELATIOI 

(RESTRICT-RELATIOI-STRUCTURE  W  S2)) 
(RESTRICT-RELATIOI 
(GET-RELATIOI  W) 

S2)  )  ) 

(IOTE  (»  (U-SET 

(RESTRICT-RFLATIOI-STRUCTURE  U  S2)) 
S2))5 


(1V-COITEXT 

((LET-BE  ¥  RELATIOI-STRUCTURE) 

(LET-BE  S2 

(IOI-EMPTY-SUBSET-OF  (U-SET  ¥))) 
(LET-BE  ¥2 

(RESTRICT-RELATIOI-STRUCTURE  ¥  S2>) 
(LET-BE  X  (II-U-SET  ¥2)) 

(LET-BE  S  CU-SET  ¥))) 

(IOTE  (IS  X  (II-U-SET  V)))) 


(DEFTYPE  ( RIGHT- AD JACEIT  (I  (II-U-SET  R) ) 

(R  RELATIOI-STRUCTURE)) 
(RELATED-TO  X  (GET-RELATIOI  R>)) 


APPEXDIX  A.  THE  STONE  REPRESENTATION  THEOREM 
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(LEHJU 

(FORALL  ((«  RELATIOI -STRUCTURE) 

(I  (II-U-SET  W)) 

CY  (RIGHT- AD JACEIT  II))) 
CIS  Y  (IS-U-SET  W)))) 


ui-coitext 

C  (LET-BF  «  RELATIGI -STRUCTURE) 

(LET-BE  X  (II-U-SET  V>) 

(PUSH-GOAL  (IS-EVERY  (RIGHT- AD JACEIT  X  W) 
C II-U-SET  V)))) 

CII-COITEIT 

((SUPPOSE 

(EXISTS-SCHE  ( RIGHT-.*  DJACEIT  X  H) ) ) 
(LET-bE  Y  (RIGHT-ID JiCEIT  I  «)  ) 

(LET  BE  S  (U-SET  H) ) 

C LET-BE  R  (GET-RELATIOI  «))) 

(IQTE-GOAL) ) 

(IOTE-GOAL) ) 


(DEFTYPE  ( LEFT- ADI ACEIT  (Y  (II-U-SET  R)) 

(R  RELATIDI-STRUCTURE) ) 
(LAMBDA  ((X  (IE-U-SET  R))) 

(IS  Y  (RIGHT-AD JACEIT  I  R)))) 


(DEFTYPE  (REFLEXIYE-RELATIOI-OI  (S  SET)) 

(LAMBDA  ((R  (RELATIOl-OI  $))) 

(FORALL  ((X  (MEMBER- OF  S))) 

(IS  X  (RELATED-TO  X  R))))> 

(DEFTYFK  (IRREFLEIIVE-RELATIOI-OI  (S  SET)) 

(LAMBDA  ((R  (RELATIOl-OI  S))) 

(FORALL  ((X  (MEMBER-OF  £,))) 

(IOT  (IS  X  (RELATED-TO  X  R)))))) 

(DEFTYPE  (SYMMETBIC-RELATIOI-OI  (S  SEI)) 

(LAMBDA  ( (R  (RELATIOI-OI  S)}) 

(FORALL  ((X  (MEMBER-OF  S)) 

(Y  (HEMBER-OF  3))) 

(IFF  (IS  X  (RELATED-TO  Y  R)> 

(IS  Y  (RELATED-TO  II)))))) 

(DEFTYPE  (AITISYHHETRIC-RELATIOI-OI  (S  SET)) 

(LAMBDA  ((A  (RELATIOI-OI  S>)) 

(FORALL  ((X  (HEKBER-OF  S)) 

(Y  (OTHER-MEMBER  S  X))> 

(IOT  (AID  (IS  X  (aELATED-TO  Y  R)) 

(IS  Y  (REUTED-TQ  Z  R))))))) 

(DEFTYPE  (TRAISITIYE-RELATIOI-OI  (S  SET)) 

(LAMBDA  (<R  (RELATIOI-OI  S))) 

(FORALL  ((X  (HEMBER-OF  S)) 

(Y  (RELATED-TO  X  R)» 

(IS-EVERY  (RELATED-TO  Y  R)  (RELATED-TO  I  R))))) 


A .  4,  RE  LA  TIOXS.  CHOICE.  A  XD  R  EL  A  TIOX  STR  UCT  ( 'RES 
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(DEFTYPE  (E1JUIVALEICE-RELATIDI-0I  CS  SET)) 
CUD-TYPE  (SYMKETRIC-RELATIQI-OI  S) 
(TRAISITIVE-RELATIOI-OI  S) 
(REFLEXIVE-RELATIOI-OI  S))) 

(DEFTYPE  EOUIViLEICE-RELATIOI 
CVRITABIE-AS  R 

(R  (FQUTVALEICE-RELITIOS-QI  S)) 

(S  SET))) 


CDEFTERM  (THE-T0TAL-RELATI0I-3I  (S  SET)) 
(THE-RUIE  C(I  (MEHBER-OF  S)))  S)) 


(LEMMA 

(FORALL  CCS  IOI-EKPTY-SET) ) 

CIS  (THE-TOTAL-RELATIOl-OI  S) 

CEqUIVALEICE-RELATIOf-Ol  S)))) 


(II-COITEIT 

C  CLET-BE  S  IOI-EHPTY-SET) 

CLET-BE  R  CTHE-TOTAL-RELATIOI-OI  S)) 

(push-goal 

(IS  R  (E3UIVALEICE-RELATI0I-0I  S) )  )  ) 
CII-COITEXT  C CLET-BE  I  (HEHBER-OF  S))) 

(I DTE  CIS  R  (P.EFLEIIVE-RELATIOI-OI  S))) 
(II-COITEIT  (CLET-BE  Y  (MEMBER-OF  S))) 
CIOTE  CIS  R  CSYHHETRIC-RELATIOI-OI  S)))) 
CI1-COVTEXT  (CLET-BE  Y  CRELATED-TO  11))) 
CIOTE  (IS  R  TRAISITIVE-RELATIQI-OI  S)))) 
(IOTE-GOAL) ) 


(LEMMA 

(FORALL 

CCS  IOI-EKPTY-SET) 

(R  (TRAISITIVE-RELATIOI-OI  S))) 

(-> 

(is  a 

(IRaEFLEIIVE-RELATIQI-OI  3)) 

CIS  R 

(AITISYHMETRIC-RELATIOI-OI  S))))) 


(II-COITEIT 

C CLET-BE  S  101-EMPTY-SET) 

CLET-BE  R  (TRASSITIVE-RELATIOI-OI  S)) 

(SUPPOSE 

CIS  R  ( IRREFLEII VE-RELATI OI-OI  S)>) 
(PUSH-OOAL 

(IS  R  (AITISYHMETRIC-RELATIOI-OI  S)))) 
(II-COITEIT  (CLET-BE  X  (MEMBER- OF  S))) 

CII-COITEIT 

( (PUSH-GOAL 

(FORALL  CCY  (OTHER-MEMBER  S  X))) 

CIOT  (AID  (IS  X  (RELATED-TO  Y  R)) 

(IS  Y  (RELATED-TD  I  R))))))> 


CII-COITEXT 

((SUPPOSE 

(EXISTS-SOME  (OTHER-MEMBER  S  X))) 


;the  abate  auppoaition  constrains  z 
;and  prevents  full  generalization 
CLET-BE  Y  (OTHER-MEMBER  S  X))) 

(IOTE  (IDT  (AID  (IS  X  (RELATED-TO  Y  R)) 

CIS  Y  (RELATED-TO  X  R))))) 

(IOTE-GOAL)) 

(IOTE-OOAL) ) 


(IOTE-GOAL))) 


A. -5.  PARTIAL  ORDERS  A.YD  7. ORA'S  LEMMA 

A. 5  Partial  Orders  and  Zorn’s  Lemma 


A  partial  order  is  defined  here  as  a  transitive  irreflexive  relation  (every 
such  relation  is  also  antisymmetric).  A  poset  (partially  ordered  set)  is  a 
relation  structure  whose  relation  is  a  partial  order  on  the  underlying  set. 
Given  a  poset  p  and  an  element  x  of  the  underlying  set  of  p  the  types 
(LESS-THAN  x  p )  and  (LESS-OR-EQUAL-TO  x  p)  are  defined  in  the  obvi¬ 
ous  way.  A  total  order  is  a  partial  order  in  which  every  two  elements  are 
ordered. 

Let  p  be  a  poset,  s  a  subset  of  the  underlying  set  of  p,  and  x  an  element 
of  the  underlying  set  of  p.  We  say  that  x  is  a  maximial  element  of  s  if  it  is 
an  element  of  s  and  no  element  of  s  is  greater  than  x.  We  say  that  x  is  the 
greatesc  member  of  s  if  it  is  a  member  of  s  and  all  members  of  s  are  less  than 
or  equal  to  x.  We  say  that  x  is  an  upper  bound  of  s  is  every  member  of  s  is 
less  than  or  equal  to  x.  The  notions  of  minimal  member,  least  member,  and 
lower  bound  are  defined  similarly.  We  say  that  x  is  a  least  upper  bound  of 
s  if  it  is  the  least  member  of  the  set  of  all  upper  bounds  of  s;  greatest  lower 
bounds  are  defined  similarly. 

A  chain  in  a  poset  p  is  a  subset  s  of  p  which  is  totally  ordered  by  order 
relation  of  p.  An  inductive  order  is  a  partial  order  in  which  every  chain  has 
an  upper  bound.  Zorn’s  lemma  states  that  if  p  is  an  inductive  order  and  x 
is  a  member  of  the  underlying  set  of  p  then  there  is  a  maximal  member  of  p 
which  is  greater  than  or  equal  to  x.  Zorn’s  lemma  can  be  proven  from  the 
axiom  of  choice  but  we  take  it  as  an  axiom. 

(DEF7YPE  CP4RTIAL-0RDER-0I  (S  SET)) 

(AID-TYPE  (TRAISITTVE-RELATIOI-OI  S) 

(IRREFLEIIVE-RELATIOI-OI  S))) 

(DEFTERK  (THE-EMPTY-RELATIOI-OI  (S  SET)) 

CTHE-BULE  ((I  OtEHBER-OF  S)» 

THE-EHPTY-SET) ) 
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0.0011 

(F OfULL  C(S  IOI-EKPTY-SET) ) 

(IS  (TIE-EHPTY-RELATIOI-OI  S) 
(PARTIAL -ORDER- 01  S)>)) 


(II-C0ITF1T 

{(LET-BE  S  IQI-EHPTY-SLT) 

(LEI -BE  S  (TBE-EHPTY-RELATIOI-QI  S>) 
(PUSB-GOAL  (IS  R  (PiRTIlL-ORDER-OI  S),)> 
(II-COITEXT 

((LET-BE  I  (REKBER-OF  S))) 

(II-COITEIT 

((LET-BE  S2  (Af  PLY -RULE  R  1))) 

(IOTE  (IS  R  (R.FL kTIOI-OI  S)))) 
(IOTE-GQAL) )) 


(DEFTYPE  POSET 

(L1BBD1  ((S  RCUTIOI-STRUCTURE)  ) 

(IS  (0ET-REL1TI0I  S) 

(P1RTI1L-0&DER-0*  (U-SET  S))))) 


(LEBB1  (EXISTS-SOHE  POSET))  (II-COITEIT 

((LET-BE  S  IOI-EKPTY-SET) 

(LET-BE  R  (PAITIIL-ORDER-OI  S)> 

(LET-BE  V  (KAIE-RELATIGI-STRUCfUnE  R  S))) 
(IOTE  (EIISTS-SOHE  POSET))) 


(DEFTYPE  (LESS-TH1I  (X  (II-U-SET  «))  (W  POSET)) 
(LEFT-ADJACEIT  X  «) 


■NT 


A.  5.  PARTIAL  ORDERS  ASD  ZORX'S  LEMMA 


(LEMMA 

(FORALL  <(P  POSET) 

(X  (II-U-SET  P))) 

(HOT  (IS  X 

(LESS-THAI  X  P))))> 

(LEMHI 

(FQRALL  ((P  POSET) 

(I  (II-U-SET  P)) 

(Y  (II-U-SET  P))) 

(I0T 

(AID 

(IS  X 

(LESS-THAI  Y  P)) 

(IS  Y 

(LESS-THAI  X  ?)))))) 

(LEMMA 

(FORALL  ((P  POSET) 

(I  (II-U-SET  P)) 

(Y  (LESS-THAI  X  P)) 

(2  (LESS-THAI  Y  P))) 
(IS  2  (LESS-THAI  X  P)))) 


(II-COITEXT 

( (LET-BE  P  POSET) 

(LET-BE  X  (iM- U-SET  P))) 

(II-COITEIT 

((PUSH-GOAL 

(IOT  (IS  X  (LESS-THAI  I  P>))> 
(LET-BE  R  (GET-RELATIOI  P)) 

(LET-BE  S  (U-SET  P))) 

(IOTE-GOAL) ) 

(II-COITEIT 

((LET-BE  Y  (II-U-SET  P)) 

(PUSH-GOAL 

(IOT 

(AID  (IS  X  (LESS-THAI  Y  P)) 

(IS  T  (LESS-THAI  X  P))))) 
(LET-BE  R  (GET-RELATIOI  P)) 

(LET-BE  S  (U-SET  P))) 

(IOTE-GOAL)) 

(ii-coit:-:x' 

((PUSH-GOAL 

(FORALL  CCY  (LESS-THAI  IP))) 
(IS-EVERY  (LESS-THAI  T  P) 

(LESS-THAI  X  P))))) 

(II-COITEXT 

((SUPPOSE 

(EXISTS-SOHE  (LESS-THAI  IP))) 
(LET-BE  Y  (LESS-THAI  IP))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOHE  (LESS-THAI  Y  P))> 
(LET-BE  Z  (LESS-THAk  TP)) 
(LET-BE  1  (GET-RELATIOI  P)) 
(LET-BE  S  (U-SET  P))) 

(VOTE  (IS-EVERY  (LISS-THAI  T  ?) 

(LESS-THAI  X  P)))) 
(HOTS  (IS-EVERT  (LESS-THAI  Y  P) 
(LESS-THAI  IP))) 

(IOTE-GOAL)) 

(IOTE-GOAL))) 


(DEFTYPE  (GREATER-THAI  (X  (II-U-SET  ¥))  (V  POSET)) 
(RIGHT- AD JACEIT  X  «)) 


A 
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(LEMMA 

(FORALL  ((P  POSED 

(I  (II-U-SET  P)) 

(Y  (GREATER-THil  I 
(IS  I  (LESS-  .'Hi*  Y  P>))> 


P))> 


(II-COITEXT 

((LET-BE  P  POSED 
(LET-BE  Z  (II-U-SET  P>) 

(PUSH-GOAL 

(FORALL  (CY  ( GREATER -THAI  IP))) 

(IS  I  (LESS-THA*  Y  P))))) 
(II-COITEXT 
((SUPPOSE 

(EIISTS-SOHE  (GREATER-THAI  IP))) 
(LET-BE  Y  (GREATER- THAI  I  P)) 
(GET-RELATI01  P)) 

(U-SET  P))) 


(LET-BE  R 
(LET-BE  S 
(IQTE-GQAL) ) 
(IOTE-GOAL)) 


(DEFTYPE  (LESS-OR-EQUAL-TO  (I  (II-U-SET  I>>  (H  POSED) 
(OR-TTPE  (LESS-TIAE  X  V)  (EQUAL-TO  X))) 


(LEIDU 

(FORALL  ((P  POSED 
(X 
(Y 


(II-U-SET  P)) 
(LESS-OR-EqUAL-TO  I?))) 


POSED 

(II-U-SET  P)> 
(LESS-OR-EQUAL-TO  X 


P))) 


(IS  Y  (II-O-SET  P)))) 


(LEMMA 

(FORALL  ((P  POSED 

(X  (II-U-SET  P)) 

(Y  (LESS-OR-EqUAL-TO  X  P)) 
(Z  (LESS-OH-EqUAL-TO  IP))) 
(IS  Z  (LESS-OR-EQUAL-TO  X  P))>) 


(II-COITEXT 
((LET-BE  P 
(LET-BE  X 
(LET-BE  Y 
(II-COITEXT 

((PUSH-GOAL  (IS  Y  (II-U-SET  P)))) 
(II-COITEXT 

((SUPPOSE  (IS  Y  (LESS-THAI  X  p)))> 
(IOTE-GOAL)) 

(IOTE-GOAL) ) 

(II-COITEXT 

((LET-BE  Z  (LESS-OR-EQUAL-TO  Y  P)> 
(PUSH-GOAL 

(IS  Z  (LESS-OR-EQUAL-TO  X  P)>)) 
(II-COITEXT  ((SUPPOSE  ("  Y  I))) 
(IOTE-GOAL)) 

(II-COITEXT 

((SUPPOSE  (IS  Y  (LESS-THAI  X  P)))> 
(II-COITKIT 

((SUPPOSE  (IS  Z  (LESS-THAI  Y  P)))) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL))) 


(LEMMA 

(FORALL  ((P  POSED 

(X  (II-U-SET  P)) 

(Y  (LESS-OR-EQUAL-TO  I  P))) 
(«>  (IS  I  (LESS-OR-EQUAL-TO  Y  P)) 
(-  X  Y)))) 


(ii-coiTErr 
((LET-BE  P 
(LET-BE  X 
(LET-BE  Y 
(SUPPOSE 

(IS  I  (LESS-OB-EQUAL-TO  Y  P)))) 
(BOTE  (*  I  Y)>) 


POSED 

(II-U-SET  P)) 
CLESS-QR-EQUAL-TO  X  P)) 


(DEFTYPE  (GRLATER-OR-EQUiL-TU  (I  (II-U-SET  II)) 

(V  POSED) 

(OR-mE  (GREATER-THAI  I  ¥>  (EQUAL-TO  I))) 


'  PARTIAL  ORDERS  AS'D  ZORS'S  LEMMA 


(LEIOU 

(FORALL 

({P  POSET) 

(X  (II-U-SET  P)) 

(Y  (GREATER-OR-EQUAL-TO  I  P))> 

(is  y  (ii-u-set  :)>>) 


(LEIDU 

(FORALL  (CP  FOSE7) 

(Y  (II-U-SET  P)> 

(I  (II-U-SET  P))) 

(»>  (IS  Y 

(LESS-OR-EqUAL-TD  I  P)) 

(IS  I 

(GREATER-OR-EqUAL-TO  Y  P))))) 

(LEIDU 

(FORALL  ((P  POSET) 

(Y  (II-U-SET  P)) 

(I  (II-U-SET  P))) 

(->  (IS  Y 

(GREATER-OR-EqUAL-TO  I  P)  ) 
(IS  I 

(LESS-OR-EqUAL-TO  Y  P))))) 


(II-COITEIT 

((LET-BE  P  POSET) 

(LET-BE  X  (H-U-SET  P)) 

(LET-BE  Y  (GREATER-OR-EQUAL-TO  I  P>) 
(PUSH-GOAL  (IS  Y  (II-'J-SET  P)))) 
(II-COITEXT 

((SUPPOSE  (IS  Y  (GREATER-THAI  I  P)))) 
(IPTE-GOAL) ) 

(IOTE-GOAL)) 


(II-COI-EIT  ((LET-BE  P  POSET) 

(LET-BE  I  (II-U-SET  P)) 

(LET-BE  Y  (II-U-SET  P))) 

(II-COITEIT 

((SUPPOSE 

(IS  Y  (LESS-OR-EOUAL-TO  IP))) 
(PUSH-GOAL 

(IS  X  (GREATER-OR-EQUAL-TO  Y  P>))) 
(II-COITEXT 

((SUPPOSE  (IS  Y  (LESS-TRAI  1  P)))) 
(IOTE-GOAL)  ) 

(IOTE-GOAL)) 

(II-COITEXT 

((SUPPOSE 

(IS  Y  (GREATER-OR-EQUAI.-TO  I  P))) 
(PUSH-GOAL 

(IS  X  (LESS-OR-EQUAL-TO  Y  P) ) ) ) 

(II-COITEXT 

((SUPPOSE 

(IS  Y  (GREATER-THAI  I  P)))) 
(IOTE-GOAL)) 

(IOTE-GOAL))) 


(DEFTERX  (RESTRICT- ORDER 
(0  POSET) 

(S  (I0I-EHPTY-5UBSET-QF 
(U-SET  0)))) 

(RESTRICT-RELATIOI-STRUCTURE  0  S)) 


.4  PPK\I)!X  A.  THE  STOXE  REPRESESTA  TIOS  THFORE.M 
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(LEPOU 

,-t-ULL 

((SI  IOI-ERPTY-SET) 

CR1  (TRAISITIYE-RELATIQI-OI  SI)) 
(S2  (SUBSET-OF  SI) )) 

CIS  (RESTRICT-RELATIOI  Bi  S2> 

aRAISITIVE-RELATIOI-OI  S2))>) 


(II-COITEIT 

((LET-BE  SI  IOI-ERPTY-SET) 

(LET-BE  R1  (TRAISITIYE-RELATIOI-OI  Sl>) 
(LET-BE  S2  (SUBSET-OF  Si)) 

(LET-BE  B2  (RESTRICT-RELATIOI  HI  S2)) 
(POSB-GOAL 

(IS  *2  (TRAIS1TIVE-RELATIOI-OI  S2))>) 
(II-C01TE1T 
((SUPPOSE 

(EIISTS-SQIK  (BERBER- OF  S2))) 

(LET-BE  I  (MEHBEB-OF  S2))) 

(II-COITEXT 

((PUSH-GOAL 

(FORALL  ((Y  (AELATED-TQ  X  R2)l) 
(IS-EYERY  (RELATED-TO  Y  R2) 

(RELATED-TO  X  R2))))) 
(II-COITEXT  ((SUPPOSE 

(EXISTS-SOHE 

(RELATED-TO  I  R2))) 
(LET-BE  Y  (RELATED-TO  1  &2))) 

(II-CDITEIT 

((PUSH-GOAL 

(IS-EYERY  (RELATED-TO  Y  R2) 

(RELATED-TO  I  R2)))) 

(II-COITEXT 

((SUPPOSE 

(EIISTS-SOHE 

(RELATED-TO  Y  R2)>) 

(LFT-8E  X  (RELATED-TO  Y  R2))) 
(IOTE-GQAL) ) 

(IOTK-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL) ) 

(IOTE-GOAL)  > 

(IOTE-GOAL)) 


(LERKA 

(FORALL  ((S  SET)) 

(EXISTS-SOHE 

(IRREFLEIIYE-RELATIOI-OI  S)))) 


(LEJOU 

(FORALL 

((SI  IOI-ERPTY-SET) 

(R1  (IRREFLEXIVE-RELATIOI-OI  Si)) 
(S2  (SUBSET-OF  SI))) 

(IS  (RESTRICT-RELATIOI  R1  S2) 

(IRREFLEIIYE-RELATIOI-OI  S2)))) 


(II-COITEXT 

((LET-BE  S  SET) 

(LET-BE  1  (TBE-EHPTY-RELATIOI-OI  S))) 
(IOTE 

(EXISTS-SOHE 

(IRREFLEXIVE-RELATIOI-OI  S)))) 
(II-COITEXT 

((LET-BE  SI  IOI-ERPTY-SET) 

(LET-BE  Rt  (IRREFLEXIVE-RELATIOI-OI  Sl>> 
(LET-RE  S2  (SUBSET-OF  Si)) 

(LET-BE  R2  (RESTRICT-RELATIOI  R1  S2) ) 
(PUSH-GOAL 

(IS  R2  (IRREFLEXIVE-RELATIOI-OI  S2)))> 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOHE  (RESBER-OF  S2))) 

(LET-BE  X  (REHBER-OF  S2>>) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 


i  v* 


•vCw 


;  if,  V> 


*►  V  ' ■'  v* 


.  V  •- 

■  '  w 


,V-"- 


A 


V  ’'j.  *J-  v 


v'V.  -  -  * 


-  *>  *  n  - 


t  *9 


(LEKfA 

(FCiULL  (CP  FOSE!) 

(S2  (IBI-EIIPTY-SUBSET-OF 
(U-SET  ?)))) 

CIS  CRESTRIC7-CRDER  P  52) 

?2set: ) i 


152  (ICI'EHPTY- SUB3ET-C F 
CU-3ET  P))) 

<1  ui-u-set 

C RESTRICT -ORDER  P  S2))!> 
CIS  I  (II-U-SET  P)  ))) 

(LE!*»1 

(FGRRLL  (CP  POSET) 

CS2  CIOI-EHPTY-S’JBSET-OF 
CU-SET  P))) 

CY  CII-U-  SET 

(RESTRICT -QUEER  P  S2)}> 
(I  (II-U-SET 

<RESTRICT-QSOER  P  S2))>) 

(IFF 
(IS  I 

(LESS-THAI  Y 

( RESTRICT- QREER  P  S2))) 

(IS  I 

(LESS-THAI  Y  P))>)) 


(II-COITEIT 

((LET-BE  P  POSET) 

(LET-BE  S3  CIOI-ERPTY- SUBSET- OF  (U-SET  P>)> 
(LET-BE  P2  (RESTRICT -ORDER  P  S2))) 
(II-COITEXT 

((LET-EE  SI  (U-SET  P)> 

(LET-BE  Rl  (GET-RELRTIOI  P)} 

(LET-BE  R2  (GET-RELATICI  P2))) 

CIOTE  (IS  P2  POSET)) 

(II-COITEIT  (CLET-EE  I  C II-U-SET  P2>) 

LET-BE  T  (II-U-SET  P2) ) ) 

CIOTE  CIS  I  (II-U-SET  P))) 

(I0TE 

(IFF 

(IS  I  (LESS-THil  Y  P2) ) 

(IS  I  (LES3-T8AI  Y  P))))>>) 


CLEHJU 

(FORALL  C  CP  PCSEI) 

(S2  (IOI-EHPTY-SUBSET-OF 
(U-SET  P))) 

(T  (II-U-SET 

(RESTRICT -ORDER  P  S3))) 
(X  (II-U-SET 

(RESTRICT -ORDER  P  S2))>> 

(IFF 
(IS  I 

(LESS-OR-EQUlL-TQ  T 

(RESTRICT-ORDER  P  S3))) 

(IS  I 

(LESS- OR- EQUAL- TO  T  P>)))) 


(II-COITEIT 

( (LET-BE  P  POSET) 

(LET-BE  S2  CIOI-EHPTY-SUBSET-OF 
(U-3ET  P))) 

(LET-BE  n  (RESTRICT-ORDER  P  S3))} 

(II-COITEXT 

( (LET-BE  I  (II-U-SET  P2)) 

(LET-BE  T  (II-’t-SET  P2))) 

(II-COITEIT 

((PUSS-COAL 

(IFF  (IS  X  (LESS-OR-EQUXL-TO  Y  P2)) 

(IS  I  (LESS-OR-EQUAL-TO  Y  P)))>) 
(II-COITEXT 
((SUPPOSE 

(IS  I  (LESS-OR-EQUAL-TO  Y  P2)))) 
(II-COITEIT  ((SUPPOSE  (*  X  Y)>) 
(IOTE-COAL)) 

(IGTE-GQAL) ) 

(II-COITEIT 

((SUPPOSE 

(IS  X  (LESS-OR-EQUAL-TO  Y  P>))) 
(II-COITEXT  ((SUPPOSE  (»  I  Y))) 
(IOTE-GOAL)) 

(IOTE-GDAL) ) 

(IQTE-tiOAL)))) 
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(DEFTYPE  (TOTAL-ORCER-OI  (S  SET)) 
(LAMBDA  ((R  (PARTIAL-ORDER-OI  Si)) 
(FORALL  ((I  (MEMBER-OF  S)) 

(Y  (MEMBER-QF  S>)> 

(OR  («  X  Y) 

(IS  X  (REL1TEO-TO  Y  R)) 

(IS  Y  (RELA7FD-T0  I  R)))))) 

(DEFTYPE  TOTALLY-ORDERED-SET 

(LAMBDA  ((S  RELATIOI-STRUCIL'RE) ) 

(IS  (GET-RELATIOI  S) 

(TOTAL-ORDER-OI  (U-SE7  S))))) 


(LEMMA  (EXISTS-SOME  (II-COlTEXT 

TOTALLY-ORDERED-SET))  ((LET -BE  S  SIIGLFTUI-bET) 

(LET-BE  R  (TSE-EMPTY-RELATIOI-OI  S)) 
(LET-BE  W  (HAIE-RELATIOI-STRUCTURE  IS))) 
(I0TE  (EXISTS-SOHE  TOTALLY-ORDERED-SET))) 


(II-COITEXT 

{(LET-BE  It  TOTALLY  ORDERED- SET) 
(PUSB-GOAL  (IS  ¥  POSET)) 
(LET-BE  R  (GET-RELATIOI  ¥)) 
(LET-BE  S  (O-SET  ¥>)) 
(IQTE-GOAL) ) 


(If -COITEXT 

((LET-BE  W  TOTALLY-ORDERED-SET) 

(LET-BE  X  (II-U-SETW)) 

(LET-BEY  (II-U-SETW)) 

(LET-BE  R  (GET-RELATIOI  W)> 

(LET-BE  3  (U-SET  ¥))) 

(II-COITEXT 

((PUSB-CUAL 

(OR  (IS  X  (LESS-DR-EQUAL-VO  Y  ¥)) 

(IS  T  (LESS-OR-EQUAL-TO  I  ¥))))) 
(II-CCITEIT  ((SUPPOSE  («  X  Y)>) 

(IOTE-GO AL)  ) 

(II-COITEXT  ((SUPPOSE  (IS  X  (LESS-THA*  Y  ¥>))) 
(IOTE-GO  AD) 

(I0TE-40AL))) 


(DEFTYPE  (MIIIMAL-ELEMEIT-OF  (¥  POSET)) 

(LAMBDA  ( (A  (II-'J-SET  ¥))) 

(IOT  ''EXISTS-SOME  (LESS-THAI  X  ¥))))) 

(DEFTYPE  (HATIHAL-ELEMEIT-QF  (¥  POSET)) 

(LAMBDA  ((I  (II-U-SET  ¥))) 

(IOT  (EITSTS-SOME  (OREATER-TBA1  X  ¥))))) 

(DEFTYPE  ( UPPER- BOUID-OF  (S  (SUBSET-Cf  (U-SET  ¥))) 
(¥  POSET)) 

(LAMBDA  ((A  (II-U-SET  ¥))) 

(IS -EVERT  (HEM3ER-0F  S) 

(LESS-OR-EQUAL-TO  A  ¥)))) 


(LEMMA 

(FORALL  ((¥  TOTALLY-ORDERED-SET) 

(I  (II-U-SETW)) 

(Y  (II-U-SET  ¥))) 

(OR  (IS  I 

(LESS-OR-EQUAL-TO  Y  ¥)) 

(is  r 

(LESS-OH-EQUAL-TO  I  H))))> 


(LEMMA 

(FORALL  (Of  TOTALLY-ORDERED-SET)) 
(IS  W  POSET))) 


.A.  3.  P \RTL\l  ORDERS  AXD  ZORS'S  LEMMA 
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(LEMMA 

("DRILL  ((«  POSET) 

(I  (II-U-SET  V)) 

(Y  (II-U-SET  ¥>)) 

(IS-EVELT 

USD-TYPE 

(GREATER- OR- EQUAL- TO  I  V) 
(GREATER-OR-EQUAL-TO  Y  V)) 
lUPPER-POUID-OF  (MAKE-SET  I  Y) 
V>1)) 


(II-COITEXT 

((LET-BE  V  POSET) 

(LET-BE  I  (II-U-SET  «)) 

(LET-BE  Y  (II-U-SET  W)) 

(PUSH-GOAL 

(IS-EVERY 

(AID- TYPE  (GREATER-OR-EQUAL-TQ  I  V) 
(GREATER-DR-EQUAL-TO  Y  W)) 
(UPPER-BOUSD-OF  (HAKE-SET  X  Y)  tf)))) 

(II-COITEXT 

((SUPPOSE 

(EXISTS-SOME 

(AID-TYPE 

(GREATER-OR-EQUAL-TO  X  W) 
(GREATER-OR-EQUAL-TO  Y  V))>) 

(LET-BE  Z  (AID-TYPE 

(GREATER-OR-EqUAL-TO  I  V) 
(GREATER-OR-EQUAL-TO  Y  W>))) 

(II-COITEXT 

((PUSH-GOAL 
(IS  Z 

(UPPER-BOUID-OF  (HAXE-SET  X  Y)  U)))) 

(II-COITEXT  ((LET-BE  S  (HAXE-SET  X  Y>) 
(LET-BE  Z2  (HEHBER-OF  S))) 

(II-COITEXT 

((PUSH-GOAL 

(IS  Z  (GREATER-OR-EqUAL-TD  Z2  «)))> 
(II-COITEXT  ((SUPPOSE  (-  Z2  X)>> 
(IOTE-GOAL)  ) 

(IOTE-GOAL) ) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL) ) 


(LEMMA 

(FORALL  ((V  POSET) 

(Y  (II-U-SET  U) ) 

(X  (II-U-SET  ¥))) 

(IS-EVERY 

(UPPER-BOUID-OF  (MAKE-SET  X  Y)  V) 
(GREATER-OR-EQUAL-TO  X  V)))) 


(II-COITEXT 

( (LET-BE  V  POSET) 

(LET-BE  X  (II-U-SET  Hi) 

(LET-BE  Y  (II-U-SET  V)> 

(LET-BE  S  (MAKE-SET  X  Y)) 

(PUSH-GOAL 

(IS-EVERY  (UPPER-BOUID-OF  S  W) 

(GREATER-OR-EQUAL-TO  I  H) )) ) 

(II-COITEXT 

((SUPPOSE 

(EXISTS-SOME  (UPPER-BOUID-OF  S  V))) 
(LET-BE  Z  (UrPER-BOUID-QF  S  W))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 


A PPESDIX  A.  THE  STOXE  REPR ES EXTATIO X  TlIEORr.M 


(LEMMA 

(FQRALL  ((P  POSET) 

(I  (II-U-SET  P>) 

(S  (SUBSET-OF  (U-SET  P)))) 
(IS-EVERY 
(1ID-TYPE 

(GREATER-OR-EQUAL-TO  X  P) 
(UPPER-BOUSD-OF  S  P)) 
(UPPER-BOUSD-OF 
(IISERT  I  S> 

P)))) 


(ii-comrr 

(CLET-BE  P  POSET) 

CLET-BE  S  (SUBSET-OF  (U-SET  P) ) ) 

(LET-BE  I  (II-U-SET  P>> 

(PUSH-GOAL 

(IS-EVERY 

(AID-TYPE  (GREATER-OR-EqUAL-TO  I  P) 
(UPPER-BOUHD-OF  S  P)) 

( UPPER- BOUID- OF  (IISERT  X  S)  P)))> 
(II-COITEXT 
((SUPPOSE 

(EIISTS-SOME 

(AID-TYPE  (GREATER-OR-EQUAL-TO  X  P) 
(UPPER-BOUID-OF  S  P)))) 

(LET-BE  Y 

(AID-TYPE  (GREATER-OR-EQUAL-TO  X  P) 
(UPPER-BOUID-OF  S  P)))) 

(II-COITEXT 

((PUSH-GOAL 

(IS  Y  (UPPER-BOUID-OF  (IISERT  X  S)  P)))) 
(II-COITEXT  ((LET-BE  Si  (IISERT  X  S)) 

(LET-BE  Z  (HEHBER-OF  S2))) 

(II-COITEXT 

((PUSH-GOAL 

(IS  Y  (GREATER-OR-EqUAL-TO  Z  P)))> 
(II-COITEXT  ((SUPPOSE  (>  Z  X))) 
(IQTE-GOAL) ) 

(IOTE-GOAL)) 

(IOTE-GOAL) ) ) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 


(DEFTYPE  (LOWER-BOUID-OF  (S  (SUBSET-OF  (U-SET  W) ) ) 

(I  POSET)) 

(LAMBDA  ((A  <II-U-SET  »))) 

(IS-EYERY  (MEMBER-OF  S)  (GREATER-OR-EQUAL-TO  AW)))) 


‘  V y 


“  V  V  f/  v 
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(LEHHA  (II' 

(FORALL  ( (V  POSET) 

a  (ii-u-set  h) ) 

(Y  (II-U-SET  V) )) 

(IS-EVERY 
(AID-TYPE 

(LESS-QR-EQUAL-TO  I  V) 
(LESS-OR-EQUAL-TO  Y  V)  > 
(LOUER-BOUSD-OF 
(HARE-SET  X  Y) 

I)))) 


■CDITEXT 

((LET-BE  ¥  POSET) 

(LET-BE  X  (II-U-SET  ¥)) 

(LET-BE  Y  (II-U-SET  V)) 

(PUSH-GOAL 

(IS-EVERY 

(AID- TYPE  CLESS-OR-EqUAL-TO  I  V) 
(LESS-OR-EqUAL-TO  Y  ¥)) 
(LOVER-BQUBD-OF 
(HARE-SET  X  Y) 

¥)))) 

(XI-COITEXT 

((SUPPOSE 

(EXISTS-SOHE 

(AID-TYPE 

(LE3S-OR-EqUAL-TO  X  V) 
(LESS-OR-EQUAL-TO  Y  ¥)))) 

(LET-BE  Z  (AID-TYPE 

(LESS-OR-EQUAL-TO  I  V) 
(LESS-OR-EQUAL-TO  Y  ¥)))) 

(II-COITEXT 

((PUSH-GOAL 
(IS  Z 

(LOVER-BOUID-OF 
(HARE-SET  X  Y) 

¥)))) 

(II-COITEXT  ((LET-BE  S  (HAKE-SET  X  Y)) 
(LET-BE  Z2  (HEHBER-OF  S))> 

(II-COITEXT 

( (PUSH-GOAL 

(IS  Z  (LESS-OR-EQUAL-TO  Z2  ¥)))) 
(II-COITEXT  ((SUPPOSE  (»  Z2  !))) 

(IOTE-GOAL)  ) 

(IOTE-GOAL) ) 

(IOTE-GOAL)) 

(IOTE-GOAL) ) 

(IOTE-GOAL)) 

(IOTE-GOAL)} 


(LEXHA 

(FORALL  ((V  POSET) 

(T  (II-U-SET  V)) 

(X  (II-U-SET  ¥))) 

(IS-EVERY 

(LOVER-BO U1D-OF  (HARE-SET  X  Y)  V) 
(LESS-OR-EQUAL-TO  I  V)))) 


(II-COITEXT 

((LET-BE  V  POSET) 

(LET-BE  X  (II-U-SET  V)) 

(LET-BE  Y  (II-U-SET  V)) 

(LET-BE  S  (HARE-SET  XV)) 

(PUSH-GOAL 

(IS-EVERY  (LOVER-BOUID-OF  S  ¥) 

(LESS-OR-EQUAL-TO  X  ¥)))) 

(II-COITEXT 

((SUPPOSE 

(EXISTS-SOHE  (LOVER-BOUID-OF  S  ¥))) 
(LET-BE  Z  (LOVER-BOUID-OF  S  ¥))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 
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APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(LEHHA 

(FOR ALL  <(P  POSET) 

(I  (II-U-SET  P)) 

(S  (SUBSET-OF  (U-SET  P)))) 
(IS-EVERY 
(AID-TYPE 

(LESS-OS-EQUAL-TO  I  P) 
(LOWER-BOUID-OF  S  P)) 
(LOWER-BOUID-QF 
(IISERT  I  S) 

P)))> 


(II-COITEXT 

( (LET-BE  P  POSET) 

(LET-BE  S  (SUBSET-OF  (U-SET  P>)) 

(LET-BE  I  (II-U-SET  P)) 

(PUSB-GOAL 

(IS-EVERY 

(AID-TYPE  (LESS-OR-EQUAL-TO  I  P) 

(LOWER- BGUID-OF  S  P)) 
(LQWER-BOUID-QF  (IISERT  X  S)  P)))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOHE 

(AID-TYPE  (LESS-OR-EOUAL-TO  I  P) 
(LOVER-BOUID-OF  S  P)))) 

(LET-BE  Y 

(AID-TYPE  < LESS-OR-EQUAL-TO  X  P) 
(LOWER-BOUID-OF  S  P)))) 

(II-COITEXT 

((PUSH-GOAL 

(IS  Y  (LOWER-BOUID-OF  (IISERT  I  S)  P)>>) 
(II-COITEIT  ((LET-BE  S2  (IISERT  X  S)) 

(LET-BE  Z  (HEHBER-OF  S2))) 

(II-COITEIT 

( (PUSH-GOAL 

(IS  Y  (LESS-OR-EQUAL-TO  Z  P)))) 
(II-COITEXT  ((SUPPOSE  (■  Z  X))) 
(IOTE-GOAL) ) 

(IOTE-GOAU) 

(IOTE-GOAL))) 

(I0TE-GOAL) ) 

(IOTE-GOAL) ) 


(DEFTYPE  (LEAST-HEKBER-CF  (S  (SUBSET-OF  (U-SET  W))) 

(W  POSET)) 

(LAMBDA  ((X  (HEHBER-OF  S))) 

CIS-EYERY  (HEHBER-OF  S) 

(OREATER-OR-EQUAL-TO  X  W)))) 
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(LEIDU 

(FORALL  <01  POSET) 

(S  (SUBSET-OF-U-SET  W>)) 
(IS-EVERY  (LEAST-MEMBER-OF  S  W) 
(II-U-SET  V)))} 


(LEMMA 

(FORALL  ((V  POSET) 

(S  (SUBSET-OF  (U-SET  W)))) 
(AT-MOST-OIE 

(LEAST-MEMBER-OF  S  H)  )  )  ) 


(II-COITEIT 

(<LFT-BE  ¥  POSET) 

(LET-BE  S  (SUBSET-OF-U-SET  ¥))) 

(II-COITEIT 

( (PUSH-GOAL 

(IS-EVERY  (LEAST-MEMBER-OF  S  «) 
(II-U-SET  ¥)))) 

(II-COITEIT 

((SUPPOSE 

(EIISTS-SOKE 

(LEAST-MEMBER-Or  S  W))) 

(LET-BE  I  (LEAST-MEMBER-OF  S  W)) 
(LET-BE  S  (U-SET  ¥))) 

(I0TE-G0AL) ) 

(10TE-G0AL) ) 

(II-COITEIT 

((PUSH-GOAL 

(AT-MOST-OIE  (LEAST-MEMBER-OF  S  ¥)))) 
(II-COITEIT 
((SUPPOSE 

(EIISTS-SOHE  (LEAST-MEMBER-OF  S  V))) 
(LET-BE  I  (LEAST-MEMBER-OF  S  ¥)) 
(LET-BE  Y  (LEAST-MEMBER-OF  S  V))) 
(IOTE-GOAL)) 

(IOTE-GOAL) )) 


(DEFTYPE  (GREATEST-HEHBER-OF  (S  (SUBSET-OF  (U-SET  ¥))) 

(¥  POSET)) 

(LAMBDA  ((I  (REMBER-OF  S))) 

(IS-EVERT  (MEKBER-OF  S) 

(LESS-OR-EQUAL-TO  IV)))) 


*■».?.>  ■*  \»  K-  V  *>  *. 
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(LEMHI 

(FORALL 


(IS  I 


((V  POSET) 

<s  (subset-of-u-set  «)) 

(X  (GREATEST-HEHBER-OF  SI))) 
(IE-U-SET  «)))) 


(LEMHI 

(FORALL  (CM  POSET) 

(S  (SUBSET-OF  (U-SET  V)))) 

(AT-MOST-QRE 

(GREiTEST-HEHBER-OF  S  W)))) 

< 


(II-COITEIT 

( (LET-BE  W  POSET) 

(LET-BE  S  (SUBSET-OF-U-SET  W))) 

(IR-COETEIT 

< (PUSH-GOAL 

(IS-EVERY  (GREATEST-MEMBER-OF  S  V) 
(H-U-SET  W)))) 

(Xl-COITEIT 

((SUPPOSE 

(EIISTS-SOME 

(GREATEST-HEMBER-OF  SI))) 

(LET-BE  I  (GREATEST-HEKBER-OF  SI)) 
(LET-BE  S  (U-SET  V))) 

(ROTE-GOAL)) 

(ROTE-GOAL)) 

(II-CORTEXT 

((PUSH-GOAL 

(AT -MOST-ORE  (GREATEST-HEHBER-OF  S  W)))) 
(IR-CORTEXT 
((SUPPOSE 

(EXISTS-SOHE 

(GREATEST-HEMBER-OF  S  V) ) ) 

(LET-BE  X  (GREATEST-HEKBER-OF  S  V)  ) 
(LET-BE  T  (GREATEST-HEHBER-OF  Si))) 
(ROTE-GOAL)) 

(ROTE-GOAL))) 


(DEFTYPE  (LEAST-UPPER-BOUED-OF  (S  (SUBSET-OF  (U-SET  W))) 

(W  POSET)) 


(LEAST'MEHBER-OF 

(THE-SET-OF-ALL  (UPPER-BOURD-OF  S  H))  «)) 


A.  j.  PARTIAL  ORDERS  ASD  ZORS'S  LEMMA 


-J'JD 


(ri-correiT 

C (LET- BE  W  POSET) 

(LET-BE  S  (SUBSET-QF  (U-SET  I))) 

(LET-BE  32  (THE-SET-OF-ALL 

(UPPER-BOUID-OF  S  I)))) 
(II-COITEIT  ((LET-BE  S3  (U-SET  V)) 

(PUSH-GOAL  (IS  S2  (SUBSET-OF  S3)))) 
(II-COITEIT  ((SUPPOSE 

(EXISTS-SOME  (HEMBER-OF  S2))) 
(LET-BE  I  (HEMBER-OF  S2))) 
(IOTE-GOAL) ) 

(IOTE-GOAL) ) 


(LEHU 

(FORALL  ((I  POSET) 

(S  (SUBSET-OF  (U-SET  I)))) 
(IS  (TIE-SET-OF-ALL 

(UPPER-BOUID-OF  S  I) ) 
(SUBSET-OF  (U-SET  W))))) 

(LEMMA 

("ORALL  ((V  POSET) 

(S  (SUBSET-OF  (U-SET  V)))) 
(AT-KOST-OIE 

(LEAST-UPPER-BOUID-OF  S  I)))) 

(LEMMA 

(FORALL 

(Cl  POSET) 

(S  (SUBSET-OF  (U-SET  W))) 

(I  (LEAST-UPPER-BOUID-OF  S  I))) 
(IS  X  (UPPER-BOUID-OF  S  !)))> 

(LEMMA 

(FORALL  ((I  POSET) 

(S  (SUBSET-OF  (U-SET  I)))) 
(*>  (E1ISTS-SOHE 

(UPPER-BOUID-OF  S  ii)) 

(FORALL 

((I  (UPPER-BOUID-OF  SI))) 
(»> 

(IS-EVERY 

(UPPER-BOUID-OF  S  tf) 

( GRE ATER-OR-EQUAL-TO  I  I)) 
(IS  X 

(LEAST-UPPER-BOUID-OF  S 
V))))))) 

(LEMMA 

(FORALL  ( (I  POSET) 

(S  (SUBSET-OF  (U-SET  I)))) 
(=>  (EXISTS-SOHE 

(LEAST-UPPER-BOUID-OF  S  V>) 
(FORALL 

(  (Y  (UPPER-BOUID-OF  SI))) 
(IS-EVERY 

(LEAST-UPPER-BOUID-OF  S  I) 
(LESS-OR-EqUAL-TO  T  I)))))) 


(IQTE  (AT -MOST- DIE  (LEAST-UPPER-BOUID-OF  SI))) 

(II-COITEIT 

((PUSH-GOAL 

(IS-EVERY  (LEAST-UPPER-BOUID-OF  S  I) 
(UPPER-BOUID-OF  S  I)))) 

(II-COITEIT 

((SUPPOSE 

(EXISTS-SOHE 

(LEAST-UPPER-BOUID-OF  SI))) 

(LET-BE  I  (LEAST-UPPER-BOUID-OF  SI))) 
(IOTE-GOAL) ) 

(I0TE-G0AL)) 

(II-CDITEXT 

((SUPPOSE 

(EXISTS-SOHE  (UPPER-BOUID-OF  SI))) 
(LET-BE  X  (UPPER-BOUID-OF  3  U) 

(SUPPOSE 

(IS-EVERY  (UPPER-BOUID-OF  S  I) 

(GREATER-OR-EQUAL-TO  I  I)))) 
(VOTE  (IS  X  (LEAST-UPPER-BOUID-OF  S  I)))) 

(II-COITEIT 

((SUPPOSE 

(EXISTS-SQRE 

(LEAST-UPPER-BOUID-OF  SI))) 

(LET-BE  X  (LEAST-UPPER-BOUID-OF  S  V)) 
(LET-BE  Y  (UPPER-BOUID-OF  SI))) 

(IOTE  (IS  X  (LESS-OR-EQUAL-TO  T  I))))) 
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APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(LEJOU 

(FORALL  ((¥  POSET) 

(X  (II-U-SET  ¥)) 
(T  (II-U-SET  ¥)  )  ) 
(AT-HOST-OIE 

(LEAST-UPPER-BOUID-QF 
(HAIE-SET  I  Y) 

¥)))} 


(II-COITEXT 

((LET-BE  ¥  POSET) 

(LET-BE  I  <II-0-SET  «)) 

(LET-BE  T  (II-U-SET  ¥)) 

(LET-BE  S  (HAIE-SET  IT))) 

(IQTE  (AT-HOST-OIE 

(LEIST-UPPER-BOUID-QF  S  ¥))) 


(LEHKA 

(FORALL  <(¥  POSET) 

(I  (II-U-SET  ¥)) 
(Y  (II-U-SET  ¥))) 


(EXISTS-SOHE 

(LEIST-UPPER-BOUID-QF 
(HUE-SET  I  Y) 

¥)) 


(II-COITEIT 

((SUPPOSE 

(EXISTS-SOHE 

(LEAST-UPPEft-BOUID-OF  S  ¥))) 

(LET-BE  Z 

(THE  (LEAST-UPPER-BOUID-QF  S  ¥)))) 
(II-COITEIT 

((LET-BE  Z2  (UPPER- BOUID-OF  S  ¥))) 
(I0TE  (IS  Z  (LESS-OR-EQUAL-TO  Z2  V)))))) 


(FOR1LL  ( (Z2  (UPPER-BQUID-OF 
(HIKE-SET  I  Y) 
¥))) 

CIS  (THE  (LEAST-'JPPER-BOUID-OF 
(HAKE-SET  I  Y) 

¥)) 

(LESS-OR-EqUAL-TO  Z2 
¥)))))) 


(DEFTYPE  (GREATEST-LOWER-BOUID-OF 

(S  (SUBSET-OF  (U-SET  ¥))) 
(¥  POSET)) 
(GREATEST-HEHBER-DF 
(THE-SET-OF-iLL 

(LOHER-BOUID-OF  S  ¥)) 

¥)) 
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(FORALL  C CW  POSET) 

(S  (SUBSET-GF  ;u-SET  ¥))>) 

(IS  (THE-SET-OF-ALL 

(LOWER-BOUID-OF  S  W) ) 
(SUBSET-GF  (U-SET  W))))) 

(LEMMA 

(FORALL  ((U  POSET) 

(S  (SUBSET-OF  (U-SET  W)))) 
(AT-HOST-QIE 

(GREATEST-LOWER-BOUID-OF  S  W)))) 

(LEMMA 

(FORALL 

((tf  POSET) 

(S  (SUBSET-OF  (U-SET  W))) 

(I  (GREATEST-LOWER-BOUID-OF  S  W))) 
(IS  X  (LOUER-BOUID-OF  S  W)))) 

(LEMMA 

(FORALL  ((W  POSET) 

(S  (SUBSET-QF  (U-SET  V)))) 

(=■=>  (EIISTS-SOME 

(LOWER-BOUID-OF  S  >!) 

(FORALL 

((I  LOWER-BOUID-OF  S  W))) 
(-> 

(IS-V/SRY 

(LOWER- 30UID-OF  S  V) 
(LESS-OR-EQUAL-TO  X  U)) 

(IS  X 

(GREATEST-LOWER-BOUID-OF  S 
W  ))))))) 

(LEMMA 

(FORALL  ( (W  POSET) 

(F  (SUBSET-OF  (U-SET  ¥)))) 

(»>  (EXISTS-SOHE 

(SEEATEST-LOWER-BOUID-OF  S  V) ) 
(FORALL 

( (Y  (LOWER-BOUID-OF  S  ¥))) 
(IS-EVERT 

(GREATEST-LOWER-BOUID-OF  S  ¥) 
'SREATER-OR-EqUAL-TO  T  ¥)))))) 


(II-COITE1T 

((LET-BE  ¥  POET) 

(LET-BE  S  (SUBSET-OF  (U-SET  W))) 

(LET-BE  S2  (TRE-SEV-OF-ALL 

(LOWER-BOUID-OF  S  ¥)))) 
Ol-COITEXT  ((LET-BE  S3  (U-SET  ¥>) 

(PUSH-GOAL  (IS  S2  (SUBSET-OF  S3)))) 
(II-CCITEIT  ((SUPPOSE 

(EIISTS-SOME  (HEMBER-OF  S2))) 
(LET-BE  I  (MEMBER-OF  S2))) 
(IOTE-GOAL)) 

(IOTE-GOAL' ) 

(MOTE 

(AT-HOSf-OIE 

(CREATEST-LOWER  -30UID-0F  SI))) 

(II-COITKIT 

((PUSH-GOAL 

(IS-EVERY  (GREATEST-LOWER-BOUID-OF  S  W) 
(LOWER-BCUID-CF  S  ¥)>)> 

(II-CQVTEXT 

((SUPPOSE 

(EXISTS-SOME 

(GREATEST-LOWER-BOUID-OF  S  K)  )  ) 
(LET-BE  X  '.GREATEST-LOWER- BLUR) -OF  SI))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 

(II-COITEXT 

((SUPPOSE 

(EXISTS-SOHE  (LOWER-BOUID-OF  SI))) 
(LET-BE  I  ' LOWER-BOUID-OF  S  V)) 

(SUPPOSE 

(IS-EVERY  ( LOWEK -BOUID-OF  S  W) 

(LESS-OR-EQUAL-TO  II)))) 

(IOTE  (IS  X  (8REATFST-LOBER-BOUID-OF  S  ¥)))) 

(II-COITEIT 

(SUPPOSE 

(EXISTS-SOME 

(GREATEST-LOWER-BCUIO-OF  SI))) 

(LET-BE  X  (GREATEST-LOWER-BOUID-OF  S  W)) 
(LET-BE  T  (LOWER-BOUID-OF  S  ¥))) 

(IOTE  (IS  I  (GREATER-0R-EQU1L-TG  Y  W))))) 


t 
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APPEXDIX  A.  THE  STOXE  REPRESEX  TAT  10  X  THEOREM 


(LEMMA 

(FORALL  ((¥  POSET) 

(X  (II-O-SET  W)) 

(Y  (II-U-SETS))) 
(AT-HOST-OIE 

(GREAV£ST-LO¥ER-BOt)ID-OF 
(HAKE-SET  X  Y) 

¥)))) 


(ii-coitext 

((LET-BE  8 
(LEt-BE  X 
(LET-BE  T 
(LET-BE  S 


POSET) 

(II-O-SET  ¥)) 
(II-O-SET  V)) 
(MAXE-SET  It))) 


(VOTE 

(AT-HOST-OIE 

(GREATEST-LOOER-BQUID-QF  S  ¥))) 


(LEMMA 

(FORXLL  ((¥  POSET) 

(X  (II-O-SET  ¥)) 

(Y  (II-O-SET  ¥))) 

(=> 

(EXISTS-SOHE 

(GREATEST-LOWSR-BOUID-OF 
(HARE-SET  X  Y) 

¥)) 

(FORALL 

C(Z2  (LQifER-BOOID-OF 
(HAIE-SET  X  Y) 

¥))) 

(IS  (TIE 

(OREATEST-LOWER-BOOID-OF 
(HAKE-SET  X  Y) 

¥)) 

(GREATER-OR-EQUAL-TO  Z2 
¥)))))) 


(ii-coitext 

((SOPFOSE 

(EXIST3-S0ME 

(GREATEST-L08ER-BOUID-OF  3  ¥))) 

(LET-BE  Z 

(THE  (GREATEST-LOVER-BOOID-OF  S  V)))) 
(II-CQITEXT 

((LET-BE  Z2  (LOWER-BOUID-OF  S  ¥))) 

(IOTE  (IS  Z  (GBEATER-OR-EpUAL-TO  Z2  ¥>))))) 


(DEFTTPE  (C3AII-II  (P  POSET)) 

(LAMBDA  ((S  (IOI-EHPTY-SOBSET-OF  (O-SET  P)))) 
(IS  (RESTRICT-ORDEB  P  S) 
TOTALLY-ORDERED-SET)  )  ) 


(LEMMA 

(FORALL  ((P  POSET) 

(X  (II-O-SET  P))) 
(IS  (MAXE-SET  X) 
(CRAII-II  P)))) 


(II-COITErr  ((LET-BE  P  POSET) 

(LET-BE  I  (II-U-SET  P)) 

(LET-BE  S  (MAXE-SET  X)) 

(PUSH-GOAL  (IS  S  (CHAII-IB  P)))) 
(LET-BE  ((RCHAII  (RESTRICT- ORDER  P  S)) 

(LET-BE  REL  (GET-RELATIOI  RCHAII))) 
(VOTE-GOAL))) 


(LEMMA 

(FORALL  ((PI  POSET) 

(C  (CHAII-II  PD) 

(X  (HEMBER-OF  C)) 

(Y  (HEMBER-OF  C))> 

(OR  (IS  I 

(LESS-QR-EQOAL-TO  Y  PI)) 

(IS  T 

(LESS-OR-EQUAL-TO  X  Pi))))) 


(II-COITEXT  ((LET-BE  PI  POSET) 

(LET-BE  C  (CHAII-II  PI)) 

(LET-BE  P2  (RESTRICT-QRDER  PI  C)) 
(LET-BE  X  (HEMBER-OF  «) 

(LET-BE  Y  (HEMBER-OF  C))) 

(IOTE  (OR  (IS  X  (LESS-OR-EQUAL-TD  Y  PD) 

(IS  Y  (LESS-OR-EQOAL-TO  X  PD)))) 
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(DEFTYPE  IIDUCTIVE-ORDER 
(LAMBDA  ((R  FOSET)) 

(FORALL  C(S  (ORAII-II  R))) 

(EIISTS-SOME  (UPPER-BOUID-OF  S  R))))> 

, W'«  taka  Zorn's  t«su  as  an  axiom 
(AXIOM 

(FORALL  ((R  IIDUCTIVE-ORDER) 

(I  (IJ-U-SET  R)>> 

CEXISTS-SOME 

(AID-TYPE  (HAIIMAL-ELEHEIT-QF  R) 

(GREATER-OR-EqUAL-TO  X  R)>>)> 
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A. 6  Lattices 


A  lattice  is  a  poset  in  which  every  pair  of  elements  has  both  a  least  upper 
bound  and  a  greatest  lower  bound.  The  greatest  lower  bound  and  least  upper 
bound  of  two  elements  are  called  the  meet  and  join  respectively.  A  complete 
lattice  is  a  poset  in  which  every  subset  of  the  underlying  set  has  a  least  upper 
bound.  We  prove  that  in  a  complete  lattice  every  subset  also  has  a  greatest 
lower  bound. 

The  inclusion  order  on  a  family  of  sets  F  is  a  poset  whose  underlying 
set  is  the  family  F  and  where  x  is  less  than  or  equal  to  y  just  in  case  x  is 
a  subset  of  y.  For  any  set  s  the  inclusion  order  on  the  power  set  of  s  is  a 
complete  lattice  such  that  for  any  subset  F  of  the  power  set  of  s  the  least 
upper  bound  and  greatest  lower  bound  of  F  are  resectively  the  union  and 
intersection  over  F .  The  poset  which  is  the  inclusion  order  on  the  power  set 
of  s  is  called  a  power  set  lattice. 

The  meet  and  join  functions  are  monotone  in  each  argument,  i.e.  increas¬ 
ing  an  argument  never  decreases  the  meet  or  join.  The  meet  of  x  and  the 
meet  of  y  and  z  is  the  greatest  lower  bound  of  the  set  x,  y ,  z  and  thus  the 
meet  function  is  associative.  The  join  function  is  similarly  associative. 
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APPEXDIX  A.  THESTOXE  REPRESEXT\TIO.\  THEOREM 


(DEFTYPE  UTTICE 
(L»*RDA  C(W  POSET)) 

(FORALL  ((X  (II-U-SET  tf ' ) 

(Y  (II-U-SET  V))) 

(AID 

(EXISTS-SOME 

(LEAST-UPPER-B0U5D-0F  (MAKE-SET  I  ')  V)  ) 
(EXISTS-SOME 

(GREATEST-LOHDR-BQUAD-OF  (HAKE-SET  I  Y)  V)))))) 

(DEFTER*  (JOII  (X  (II-U-SET  L)) 

(Y  (II-U-SET  L)> 

(L  LATTICE)) 

(THE  (LEAST-UPPER-80UID-QF  (BAKE-SET  I  Y)  L))) 

(1/EFTERM  (BEET  (X  (II-U-Se,T  L)> 

(Y  (II-U-SET  L)) 

(L  LATTICE)) 

(THE  (GAEATEST-LOWER-BOUID-OF  (BAKE-SET  X  Y)  I.))) 

(DEFTYPE  COMPLETE -LATTICE 
(LAMBDA  ((V  POSET)) 

(FORALL  ((S  (SUBSET-OF  (U-SETV)))) 

(EXISTS-SOME  (LEAST-UPPER- BOUID-OF  S  W) )) ) ) 


(LEMMA  (EXISTS-SOME  COMPLETE -LATTICE) )  (II-COITEXT 

((PUSH-GOAL  (EXISTS-SOME  COMPLETE-LATTICE)) 
(LET-BE  S  SIIGLETOI-SET) 

(LET-BE  R  (THE-EMPTY -RELATIOI-OI  S)) 
(LET-BE  H  (MAKE-RELATIOI-STRUCTUKE  R  S)) 
(LET-BE  32  (SUBSET-OF  (U-SET  V)))) 
(II-COITEXT 

((PUSH-GOAL 

(EXISTS-SOME 

(LKAST-UPPER-BDUID-OF  S2  V))>) 
(II-COITEXT 

((SUPPOSE  (EXISTS-SOME  (MEMBER-OF  S2))) 
(LET-BE  I  (KEHBER-OF  32)) 

(LET-BE  Y  (UPPER-BOUID-OF  S2  W) ) ) 
(IOTE-OOAL) ) 

(II-COITEXT 

((SUPPOSE 

(IOT  (EXISTS-SOME  (MEMBER-OF  S2)))) 
(LET-BE  I  (MEMBER-OF  S)) 

(LET-BE  Y  (UPPER-BOUID-OF  S2  W))) 
(IOTE-GOAL)) 

(IOTE-GOAL) ) 

(IOTE-GOAL)) 
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(II-COITEXT 

( (LET-BE  U  COMPLETE-LATTICE) 

(LET-BE  S  (S'JBSET-QF  (U-SET  ¥))) 

(PUSH-SOIL 

(EXISTS-SOHE 

(GREATEST-LOWER-BOUSD-OF  S  V)))) 

(IS-COITEXT 

((LET-BE  S2 

(THE-SET-OF-ALL  CLOWER-BOUHD-OF  S  H>)) 
(LET-BE  X 

(THE  (LEAST-UPPER-BOUID-UF  SI  V)))) 
(II-COITEXT 

((PUSH-GOAL  (IS  X  (LOWER-BOUID-OF  S  V)))) 
(II-COITEXT  ((SUPPOSE 

(EXISTS-SOME  (MEHBER-OF  S;)) 
(LET-BE  Y  (MEMBER-CF  S))) 

(II-COITEXT 

( (PUSH-GOAL 

(IS  Y  ( UPPER- B0U1D-0F  S2  W)))) 

(ii-conar 

((SUPPOSE 

(EXISTS-SOHE  (HEHBER-OF  S2))) 
(LET-BE  Z  (HEHBER-OF  S2))> 
(IOTE-OOAL)) 

(IOTE-GOAL5 ) ) 

(IOTE-GOAL) ) 

(IOTE-OOAL))) 


(II-COITEXT  ((LET-BE  V  CDHPLETE-UTTICE) 
(PUSH-OOAL  (IS  W  LATTICE))) 
(II-COITEXT  ((LET-BE  I  (II-U-SET  «)) 
(LET-BE  I  (II-U-SET  ¥)) 
(LET-BE  SXT  (KAIE-SET  X  Y))) 
(IOTE-GOAL))) 


( DFFTERH  (IICLUSIOI-CRDER  (F  FAHILY-OF-SETS)) 
(HAXE-RELATIOI-STRUCTURE 

(THE-RULE  <(S  (HEHBER-OF  F))) 
(THE-SET-OF-ALL 

(AID-TYPE  (HEHBER-OF  F) 

(PROPER-SUPERSET-OF  S)>)) 
F)) 


(LEMMA 

(FORALL  ( (II  COMPLETE-LATTICE)) 
(IS  V  LATTICE))) 


(LEMMA 

(FORALL  ((W  COHPLETE-LATTICE) 

(S  (SUBSET-OF  (U-SET  ¥)))) 
(EXISTS-SOME 

(GREATEST-LOHER-BOUID-OF  S  H)  )  )  ) 
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(II-COITEXT 

((LET-BE  F  FAKILY-OF-SETS) 

(LET-BE  & 

(T3E-RULE  ((S  (HEBBER-QF  F))) 
(THE-SET-QF-ALL 

(AID-TYPE  (MEBBER-OF  F) 

(PRO PER- SUPERSET” OF  S)>)))> 


(LEHMl 

(FQRALL  ((F  FABILY-OF-SETS)) 

(IS  (THE-RULE  ((S  (HEBBER-OF  F)>) 
(THE-SET-OF-ALL 
(AID-TYPE 
(BEJ1BER-OF  F) 
(PROPER-SUPERSET-OF  S)))) 
(REL1TI0I-QI  F)  )  "> ) 

(LEHMl 

(FOR1LL  ((F  FAMILY-OF-SETS) ) 

(IS  (IICLUSIQI-ORDFR  F)  POSET) ) ) 


(II-COITEXT 

( (PUSH-GOAL  (IS  R  (RELATIOI-QH  F  ) ) ) 
(LET-BE  S  (HEHBER-OF  F)) 

(LET-BE  F2  (1PPLY-RULE  R  S))) 
(II-COITEXT 

((PUSH-GOAL  (IS  F2  (SUBSET-OF  F)>)1 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SQHE  (KEMBER-OF  F2))) 
(LET-BE  S2  (MEMBER-OF  F2))) 
(IOTE-GOAL) ) 

(IOTE-GOAL)  ) 

(IOTE-GOAL)) 


(II-COITEXT 

((PUSH-GOAL 

(IS  (IICLUSIDI-ORDER  F)  POSET))) 
(II-COITEXT 

((PUSH-GOAL 

(IS  R  (PARTI AL-ORDER-OI  F))) 

(LET-BE  SI  (HEKBER-DF  F))) 

(II-COITEXT 

((PUSH-GOAL 

(FORALL  ((S2  (RELATED-TD  SI  R))) 
(IS-EVERY  (RELATED-TO  S3  R) 

(RELATED- TO  Si  R))))) 

(II-COITEXT 
( (SUPPOSE 

(EXISTS-SOHE  (RELATED-TO  SI  R) ) ) 
(LET-BE  S3  (RELATED-TO  SI  R))) 
(II-COITEXT 

( (PUSH-GOAL 

(IS-EVERY  (RELATED-TO  S2  R) 

(RELATED-TO  SI  R)))) 

(II-COITEIT 

((SUPPOSE 

(EXISTS-SOHE 

(RELATED-TO  S2  R))) 

(LET-BE  S3  (RELATED-TO  52  R))) 
(IOTE  (13  S3  (IOT-EQUAL-TO  SI))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(II-COITEXT 

((LET-BE  V  (IICLUSIOI-ORDER  F))) 
(IOTE-GOAL)))) 
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(LEHHA  (FORALL  C(F  FAHILY-OF-SETS) ) 

(»  (O-SET 

( IICLUSIGI-ORDER  F)) 

F))) 

CLEMU 

(FORALL  ( (F  FAHILY-QF-SETS) 

(S2  (HEHBER-OF  F) ) 

(SI  (HEJIBER-QF  F))) 

(IFF 
CIS  Si 

(  LES  5 -OR-EQUAL-TO 
S3 

(IICLUJIOI-ORDER  F))) 

(IS  SI 

(SUBSET-OF  S2) )5  )  ) 

(II-CQITEIT 

((SUPPOSE 

CIS  SI  (LESS-OR-EQUAL-TO  S2  W})>) 
(II-COITEXT  ((SUPPOSE  (-  SI  S2))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 

(II-COITEXT  ((SUPPOSE  (IS  SI  (SUBSET-OF  S2)))) 
(II-COITEXT  ((SUPPOSE  (»  SI  S2>>> 
(IOTE-GOAL)) 

( IOTE-GOAL) ) 

(IOTE-GOAL))) 


(II-COITEXT 

((LET-BE  F  FAMILY-OF-SETS) 

(LET-BE  R 

(TEE-RULE  ((S  (HEBBEF.-OF  F))) 
(THE-SET-OF-ALL 

(AID-TYPE  (HEBBER-OF  F) 

(PROPER-SUPERSET-OF  S))))) 
(LET-BE  W  (IICLUSIQI- ORDER  F))) 

(IOTE  (»  CJ-SET  W)  F)) 

(II-CDITEXT 

((LET-BE  SI  (HEHBER-OF  F)) 

(LET-BE  S2  (HEHBER-OF  F)) 

(PUSH-GOAL 

(IFF  (IS  SI  (LESS-OR-EQUAL-TO  S2  V)) 
(IS  SI  (SUBSET-OF  S2))))) 


(DEFTER*  (POWER- SET-LATTICE  (S  IOI-EHPTY-SET) ) 
(IICLUSIQI- ORDER  (POWER-SET  3))) 

(DEFTYPE  POWER-LATTICE 

(WRITABLE-AS  (POWER-SET-LATTICE  S) 

(3  IOI-EMPTY-SET)  )  ) 
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(LEMHI 

(FORALL  <(B  POWER-LATTICE) ) 

(IS  B  POSET))) 

(LEMHI 

(FORALL  ((B  POWER-LATTICE) ) 

(IS  (U-SET  B) 

F1HILY-0F-SETS) )) 

(LEMHI 

(FORALL 

((B  POWER-LATTICE) 

(S  IOI-EHPTY-SET 

(-  8  (POWER-SET-UTTICE  S)))) 

<«  S 

(FAHILY-UIIOl 
(U-SET  B))))) 


(II-COITEIT 

(CLET-BE  B  POWER-LATTICE) 

(WRITE-AS  B  (POWER-SET-LATTICE  S) 
(S  IOI-EHPTY-SET) ) 

(LET-BE  P  (U-SET  B)) 

(LET-BE  P2  (POWER-SET  S))) 

(■DTE  (IS  B  POSET)) 

(IOTE  (IS  (U-SET  B)  FAHILY-OF-SETS) ) 
(ROTE  (-  S  (FAHILY-URIOR  (U-SET  B)))) 
(ROTE  (IS  (FAHILY-URIOR  (U-SET  B)) 
ROR-EKPTY-SET) ) 

(ROTE 

(■  (U-SET  B) 

(POWER-SET 

(FAHILY-URIOR  CU-fiET  B)))))) 


(LEMMA 

(FORALL  ((B  POWER-LATTICE)) 

(IS  (FAMILY-URICR  (U-SET  B) ) 
ROR-EMPTY-SET))) 


(LEMMA 

(FORALL  ((B  POWER-LATTICE)) 
(-  (U-SET  B) 

(POWER-SET 
(FAHILY-URIOR 
(U-SET  B)))))) 


(LEMMA 

(FORALL  ((B  POWER-LATTICE) 
(S2  (IR-U-SET  B))) 
(IS  S2  SET))) 

(LEMMA 

(FORALL  ((8  POWER-LATTICE) 
(32  (IR-U-SET  B))) 

(IS  S2 

(SUBSET-OF 
(FAHILY-URIOR 
(U-SET  B)))))) 


( IR-CORTEIT 

((LET-BE  B  POWER-LATTICE) 

(WRITE-AS  B  (POWER-SET-LATTICE  S) 
(S  ROR-EMPTY-SET)) 

(LET-BE  P  (U-SET  B>) 

(LET-BE  S2  (IR-U-SET  B»> 

(ROTE  (IS  32  SET)) 

(ROTE 
(IS  32 

(SOBSET-OF 

(FAHILY-URIOR  (U-SET  B)))))) 
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(LEMMA 

(FORALL  ((B  POWER-LATTICE) 

(S2  (SUBSET-OF 

(FAMILY-UIIOI 
CU-5ET  B))))) 

(IS  S2  (II-U-SET  B)))) 

(LEMMA 

(FORALL 

C (8  POKER-LATTICE) 

(S2  (II-U-SET  B)) 

(S3  (LESS-OR-EQUAL-TO  S2  B)>) 
(IS  S3  (SUBSET-OF  S2)))) 

(LEMMA 

(FORALL  ((B  POWER-LATTICE) 

(S2  (II-U-SET  B)) 

(S3  (SUBSET-QF  S2))) 

(IS  S3 

(LESS-OR-EQUAL-TD  S2  B)))) 


(LEMMA 

(FORALL  ((B  POWER-LATTICE) 

(F  (IOI-EMPTT-SUBSET-OF 
(U-SET  B)))) 

(IS  F  FAMILY-OF-SETS))) 


£ 


(II-COITEIT 

((LET-BE  B  POWER-LATTICE) 

(VRITE-AS  B  (POWER-SET-LATTICE  S) 

(S  IOI-EKPTY-SET) ) 

(LET-BE  P  (U-SET  B))) 

(II-COITEIT  3 

((LET-BE  S2  - 

(SUBSET-OF 

(FAMILY-UIIOI  (U-SET  B))))) 

(IOTE  (IS  S2  (II-U-SET  B>)))  ■ 

(II-COITEXT  ((LET-BE  S2  (II-U-SET  B) ))  { 

(II-COITEIT 

((LET-BE  S3  (LESS-QR-EqUAL-TO  S2  B)))  : 

(IOTE  (IS  S3  (SUBSET-OF  S2)))) 

(II-COITEIT  ((LET-BE  S3  (SUBSET-OF  S2))) 

(IOTE  (IS  S3  (LESS-OR-EqUAL-TO  S2  B)))))  ] 

(II-COITEIT 

((LET-BE  F  (IQI-EHPTT-SUBSET-OF  (U-SET  B)))  ■ 

(PUSH-COAL  (IS  F  FAMILY-OF-SETS)))  \ 

(II-COITEIT  ((LET-BE  S  (MERBER-OF  F)>)  ! 

(IOTE-GOAL) ) )) 


(LEMMA 

(FORALL  (  (B  POWER-LATTICE) 

(F  (IOI-EMPTY-SUBSET-OF 
(U-SET  B)))) 

(IS  (FAMILY-UIIOI  F) 

(LEAST-UPPER-BOUID-OF  F  B)))) 


(II-COITEIT 

((LET-BE  B  POWER-LATTICE) 

(LET-BE  F  (IOI-EMPTY-SUBSET-OF  (U-SET  B)>) 
(LET-BE  LUB  (FAMILY-UIIOI  F)) 

(PUSH-GOAL 

(IS  LUB  (LEAST-UPPER-BOUID-OF  F  B))}> 
(II-COITEIT 

((PUSH-GOAL  CIS  LUB  (II-U-SET  B))) 
(LET-BE  S  (FAMILY-UIIOI  (U-SET  B)))) 
(IOTE-GOAL)) 

(II-COITEIT 

((PUSS-OOAL 

(IS  LUB  (UPPER-BOUID-OF  F  8))) 

(LET-BE  S  (MEMBER-OF  F))> 

(IOTE-GOAL)) 

(II-COITEIT 

((LET-BE  S  (UPPEI-BOUID-OF  FBI)) 
(II-COITEIT 

((PUSH-GOAL 

(IS-EVERT  (MEMBER-OF  F) 

(SUBSET-OF  S))) 

(LET-BE  S2  (MEMBER-OF  F))) 

(IOTE-GOAL) > 

(IOTE-GOAL))) 
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(LEMHI  (I1-C01TEIT 

(FORALL  ((B  POSER-LATTICE)  ((LET-BE  B  POSER-LATTICE) 

(F  (BOB-EMPTY- SUBS  ET-OF  (LET-BE  F  (IOI-EHPrf-SUBSET-OF  (U-SET  B))) 

(U-SET  8))))  (LET-BE  GLB  (FAMILY- 1 BTERSECTIOE  F)) 

(IS  (FAMILY- IITERSECTIQI  F)  (PUSH-GOAL 

(GREATEST-LOWER-BOUID-OF  F  B>)))  (IS  GLB 

(GREATEST-LOWER-BOUHD-OF  F  B)))) 
(II-COBTEXT 

((PUSH-GOAL  (IS  GLB  (II-U-SET  B))) 

(LET-BE  S  (FAMILY-UBIOH  (U-SET  B>)', 
(LET-BE  S2  (REHBER-OF  r))) 

(BOTE-GOAL)) 

(IB-COBTEXT 

( (PUSH-GOAL  (IS  GLB  (LOHER-BOUHD-OF  F  B))) 
(LET-BE  3  (REKBER-OF  F))) 

(BOTE-GOAL) ) 


(IB-C0ITE1T 

((LET-BE  S  (LOSER-BOUBD-OF  F  B)>) 
(II-COITEIT 

((PUSH-GOAL 

(IS-EVERY  (HEMBER-OF  F) 

(SUPERSET-OF  S))) 
(LET-BE  S2  (HEMBER-OF  F)>) 
(BOTE-GOAL)  ) 

(BOTE-GOAL))) 


to 
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(LEMHI  (II-COITEIT 

(FORALL  ((8  POWER-LATTICE) )  ((LET-BE  B  POWER-LATTICE) 

(IS  B  COMPLETE -LATTICE)  ))  (PUSH-GOAL  (IS  B  COMPLETE-LATTICE) )  ) 

(II-COITEIT 

((LET-BE  F  (SUBSET-OF  (O-SET  B))>) 
(II-COITEIT 

((PUSH-GOAL 

(EIISTS-SOHE 

(LEAST-UPPER-BOUID-OF  F  B)))) 
(II-COITEIT 
((SUPPOSE 

(EIISTS-SOHE  (MEHBER-OF  F))D 
(II-COITEIT 

((LET-BE  S  (U-SET  B))) 
(IOTE+GEIERALIZE 
(IS  F 

(IOI-EHPTT-SUBSET-OF 
(U-SET  B))))) 

(IOTE-GOAL) ) 

(II-COITEIT 

((SUPPOSE 

(IOI  (EIISTS-SOHE  (MEHBER-OF  F)))) 
(LET-BE  ESET  THE-EHPTY-SET) ) 
(II-COITEIT 

((PUSH-GOAL  (IS  ESET  (II-U-SET  B))) 
(LET-BE  S  (FAMILY -UIIOI  (U-SET  B)))) 
(SOTE-GOAL)) 

( II-COITEIT 

((LET-BE  S  (UPPER-BOUID-OF  F  B))) 
(IOTE-GOAL))) 

(IOTE-GOAL)) 

(IOTE-GOAL))) 


! 

i 

I 

( 

I 


lr»*« 
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APPEXDIX  A.  THE  STOSE  REP  RESTS  TAT  10  X  THEOREM 


(LEJBU 

CFO  RILL  <(B  POWER-LATTICE) 
(SI  (II-L'-SET  B)) 
(S2  CII-U-SET  B)>) 
(*  (JOII  SI  S2  B) 

CU.IOI  SI  S2)))) 


(LEMHI 

(FORALL  ( (B  POWER-LATTICE) 
(SI  (II-U-SET  B)) 
(S2  (II-U-SET  B))) 
(■  (MEET  SI  S2  B) 

(IITERSECTIQI  SI  S2)))) 


(II-COITEIT  ((LET-BE  B  POWER-LATTICE) 
(LET-BE  31  (II-U-SET  B)> 
(LET-BE  S2  (II-U-SET  B))) 


(II-COITEXT 

((PUSH-GOAL 

(«  (JOII  SI  S2  B) 

(UIIOI  $1  S2) ) ) ) 

(II-COITEXT 

((LET-BE  S3  (MAKE-SET  SI  S2))) 

(10TE 

(EXiCTLY-OIE 

(LEAST-UPPER- BOUID-OF  S3  B))) 

(IOTE 

(IS  (UIIOI  SI  S2) 

(LEAST-UPPER- BOUID-OF  S3  BJ))) 
(II-COITEXT 

((LET-BE  J  (JOII  SI  S2  B)> 

(LET-BE  U  (UIIOI  SI  S2))) 

(IOTE-QOAL) ) ) 

(II-COITEXT 

((PUSH-GOAL 

(•  (MEET  SI  S2  B) 

(IITERSECTIQI  SI  S2)))) 
(II-COITEXT 

((LET-BE  S3  (MAXE-SET  SI  S2))) 

(IOTE 

(EXACTLT-OIE 

(GREATEST-LOWER-BO UID-OF  S3  B))) 
(IOTE 

(IS  (IITERSECTIQI  SI  S2) 

(GREATEST-LOMER-BOUID-OF  S3  B))>) 
(II-COITEXT 

((LET-BE  J  (MEET  SI  S2  B)> 

(LET-BE  U  (IITERSECTIOI  SI  S2>)> 
(IOTE-GOAL) )) ) 


-'.V. - 
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(LEH1U 

CF0R1LL  ((L  LATTICE) 

(X  (II-U-SET  L)) 

(X  (Il-U-SET  L))) 

(IS  (MEET  ITU 

(LESS-OR-EQUAL-TO  I  L)))) 

(LEMMA 

(FOEALL  (  (L  LATTICE) 

(I  (II-U-SET  L)) 

(Y  (II-U-SET  L))) 

(IS  (JOII  I!L) 

( GREATER-OR-EQUAL-TO  X  L)))) 

(LEMKA 

(FOEALL  ((L  LATTICE) 

(X  (II-U-SET  L>) 

(Y  (II-U-SET  L))) 
(IS-EVERY 
(AID-TYPE 

(LESS-OR-EQUAL-TO  X  L) 
(LESS-OR-EQUAL-TO  I  LI) 
(LESS-OR-EQUAL-TO 
(MEET  I  Y  L) 

L)))) 

(LEHHA 

(FOEALL  ((L  LATTICE) 

(X  (II-U-SET  L)) 

(Y  (II-U-  SET  L))) 
(IS-EVERY 
(AID-TYPE 

(GREATER-QR-EqUAL-TO  X  L) 
(aREATER-QR-EQUAL-TO  Y  L)) 
(OREATER-OR-EQUAL-TO 
(JOII  X  Y  L) 

L)))) 


(ii-coiteit 

((LET-BE  L  LATTICE) 

(LET-BE  I  (II-U-SET  L)) 

(LET-BE  Y  (II-U-SET  L)) 

(LET-BE  S  (HiXE-SET  IT))) 

GI-CHITEX7 

((PUSS-CDAL 

(IS  (MEET  I  Y  L) 

(LESS-OR-EQUAL-TO  XL))) 

(LET-BE  M  (MEET  I  Y  L))) 

(IOTE-GOAU) 

(II-GOITEXT 

((PUSH-GOAL 

(IS  (JOII  X  Y  L) 

(GREATER-OR-EQUAL-TO  XL))) 

(LET-BE  J  (JOII  X  Y  L))) 

(IOTE-GDAL) ) 

(II-COITEXT 

((PUSH- GOAL 
(IS-EVERY 

(AID-TYPE 

(LESS-OR-EqUAL-TO  X  L) 
(LESS-OR-EQUAL-TO  Y  L)) 
(LESS-OR-EQUAL-TO  (MEET  X  Y  L)  L)>>) 

(n-correrr 

((SUPPOSE 

(EXISTS-SOHE 

(AID-TYPE 

(LESS-OR-EQUAL-TO  I  L) 
(LESS-OR-EQUAL-TO  Y  L)))) 

(LET-BE  Z 

(AID-TYPE  (LESS-OR-EQUAL-TO  I  L> 

(LESS-OR-EQUAL-TO  Y  L)  )  ) 

(LET-BE  H  (MEET  X  Y  L))> 

(IOTE-GOAL)) 

(I0TE-G0AL) ) 

(II-COITEXT 

((PUSH-GOAL 

(IS-EVERY 

(AID-TYPE 

(GREATER-OR-EQUAL-TO  X  L) 
(GREATER-OR-EQUAL-TO  Y  L)) 
(GREATER-OR-EQUAL-TO  (JOII  X  Y  L)  L)>)> 
(II-COITEIT 
((SUPPOSE 

(EXISTS-SOHE 

(AID- TYPE  (GREATER-OR-EQUAL-TO  I  L) 

(GREATER-OR-EQUAL-TO  Y  L))>) 
(LET-BE  Z  (AID-TYPE 

(GREATER-OR-EQUAL-TO  X  L) 
(GREATER-QR-EQUAL-TO  Y  L))) 
(LET-BE  J  (JOII  X  Y  L))) 

(IOTE-GOAL)) 

(IOTE-GOAL))) 


APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(LEMMA 

(FCRALL  (<L  LATTICE) 

(T  (II-D-SETL)) 

(I  (II-U-SET  L))) 

(IFF  (IS  I 

(LESS-OR-EQUAL-TO  !  L)) 

(*  {MEET  I  Y  L) 

I)))) 

(LEMMA 

(F08ALL  ((L  LATTICE) 

(T  (II-U-SET  L) ) 

(I  (II-U-SET  L))) 

(IFF  (IS  X 

(GREATER-OR-EQUAL-TO  Y  L)) 
(-  (JOII  X  Y  L) 

I)))) 

(LEMMA 

(FORA!  L  (  (I.  LATTICE) 

(X  (II-U-SET  '.)) 

(Y  (II-U-SET  L))) 

(-  (JOII  (MEET  X  Y  L) 

Y 

L) 

Y))) 

(LEMMA 

(FORALL  ((L  LATTICE) 

(X  (II-U-SET  L)) 

(Y  (II-U-SET  L))) 

(*  (MEET  (JOII  X  Y  L) 

Y 

L) 

Y))> 


(II-COITEXT  ((LET-BE  L  LATTICE) 

(LET-BE  X  (II-U-SET  L)) 

(LET-BE  Y  (II-U-SET  L))) 

(II-COITEXT 

((PUSH-GOAL 

(IFF  (IS  X  (LESS-OR-EqUAL-TO  Y  L)) 

(-  (MEET  I  Y  L)  X)>)> 

; th«  ony-i t  cass  is  trivial 
(II-COITEXT  ((SUPPOSE  (-  (MEET  I  Y  L)  X))) 
(IOTE-GOAL) ) 

(II-COITEIT 

((SUPPOSE 

(IS  I  (LESS-OR-EQUAL-TO  Y  L)))) 

,  in  this  cut  it  is  obvious  that  z 
;is  s  lousr  bound,  thus  vs  only  nssd 
;to  sho*  tbst  x  is  ths  greatest  lovsr 
; bound 
(II-COITEXT 
( (LET-BE  2 

(UPPER-BQUID-OF  (NAXE-SET  1  Y)  U) 
(LET-BE  S  (MAKE-SET  X  Y))) 
(IOTE-GOAL))) 

(IOTE-GOAL)) 

(II-COITEXT 

((PUSH-GOAL 

(IFF  (IS  X  (GREATER-OR-EOUAL-TO  Y  L) ) 
(-  (JOII  X  1  L)  X)))) 

(II-COITEXT  ((SUPPOSE  (»  (JOII  X  Y  L)  X))) 
(IOTE-GOAL)) 

(II-COITEXT 

((SUPPOSE 

(IS  I  (GREATEE-OR-EQUAL-TO  Y  L)))) 
(II-COITEXT 
((LET-BE  Z 

(UPPEB-BOUID-OF  (HAKE-SET  I  Y)  D) 
(LET-BE  S  (HAKE-SET  It))) 
(IOTE-GOAL))) 

(IOTE-GOAL)) 

(II-COITEXT 

((PUSH-GOAL  (»  (JOII  (MEET  I  T  L)  Y  L) 

Y)) 

(LET-BE  H  (MEET  X  Y  L))) 

(IOTE-GOAL)) 

(II-COITEXT 

((PUSH-GOAL  (”  (MEET  (JOII  X  T  L)  Y  L) 

Y)) 

(LET-BE  J  (JOII  X  Y  L)>) 

(IOTE-GOAL))) 
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(LEMMA 

(rORiLL  (CL  LATTICE) 

<1  (II-U-SET  L)) 

(12  (LESS-OR-EQUAL-TO  I  L)  ) 
(Y  (II-U-SET  L) ) ) 

(IS  (MEET  12  Y  L) 

(LESS-OR-EqUAL-TD  (MEET  X  Y  L) 
L)))> 


(LEMMA 

(FORALL  ((L  LATTICE) 

(X  (II-U-SET  L)) 

(12  (LESS-OR-EQUAL-TO  X  L)) 
(Y  (II-U-SET  L))> 

(IS  (JOII  I  Y  L) 

(greater-or-equal-to 
(JOII  X2  Y  L) 

L)))) 


(II-CCITEIT 

((LET-BE  L  LATTICE) 

(LET-BE  X  (II-U-SET  D) 

(LET-BE  Y  (II-U-SET  L)) 

(LET-BE  X2  (LESS-OR-EQUAL-TO  I  L)>) 
(II-COITEXT 

((PUSH-GOAL 

(IS  (MEET  12  Y  L) 

(LESS-OR-EqU»_-TO  (MEET  I  Y  L)  L)))> 
(II-COITEXT  ((LET-BE  M  (MEET  12  Y  L))) 
(IQTE-SOAL)) ) 

(II-COITEXT 

((PUSH-GOAL 

(IS  (JOII  X  Y  L) 

(GREATER-OR-EQUAL-TO 
(JOII  12  Y  L) 

L)))) 

(II-COITEXT  ((LET-BE  J  (JOII  X  Y  L))> 
(IOTE-GOAL)))) 


(LEMMA 

(FORALL  ((L  LATTICE) 

(X  (II-U-SET  L)) 

(Y  (II-U-SET  L)> 

(Z  (II-U-SET  L))) 

(*  (MEET  Z  (MEET  I  T  L)  L) 
(THE 

(GREATEST-LOWER-BOUID-OF 
(KAIE-SET  I  Y  Z) 

L))))) 

(LEMMA 

(FORALL  ((L  LATTICE) 

(X  (II-U-SET  L)> 

(Y  (II-U-SET  L>) 

(Z  (II-U-SEI  L))) 

(»  (JOII  Z  (JOII  X  T  L)  L) 
(THE 

(LEAST-UPPER-BOUID-OF 
(MAKE-SET  X  T  Z) 

L>)))) 


(II-COITEXT 

( (LET-BE  L  LATTICE) 

(LET-BE  X  (II-U-SET  L>) 

(LET-BE  Y  (II-U-SET  L>) 

(LET-BE  Z  (II-U-SET  L>) 

(LET-BE  SXY  (MAKE-SET  X  Y)) 

(LET-BE  SXTZ  (MAKE-SET  I  Y  Z))) 

;»at  is  associativa 
(II-COITEXT 

((LET-BE  HIT  (MEET  X  1  L)) 

(LET-BE  NXYZ  (MEET  Z  HXY  L» 

(PUSH-GOAL 
(•  MXTZ 
(TIE 

(GREATEST-LOWER-BOUID-OF  SXTZ  L))))) 
;it  is  altaady  a  loaar  honed  so  sa  an  at  show 
; that  it  is  tha  graataat 
(II-COITEXT 

({LET-BE  LBOUID  (L0WER-BOUID-OF  SXTZ  L))) 
(IOTE-GOAL))) 

; join  is  associativa 
(II-COITEXT 

( (LET-BE  JXY  (JOII  I  Y  L)) 

(LET-BE  JIYZ  (JOII  Z  JIY  L)) 

(PUSH-GOAL 
(-  JXYZ 
(THE 

(LEAST-UPPER-BOUID-OF  SXTZ  L))))> 
(II-COITEXT 

((LET-BE  UBOUID  (UPPER-BOUID-OF  SXYZ  L)>) 
(IOTE-GOAL)))) 


APPEXDIX  A.  THE  STOSE  REPRESEXTATIOS  THEOREM 


(LEHJ U 

(FORiLL  (CL  LATTICE) 

(T  (II-U-SET  L)) 

(I  (II-U-SET  L))) 

(»  (HEET  ITU 
(HEET  T  X  U))) 

(LEMMA 

(FORALL  (  (L  L1TTICE) 

(Y  (II-U-SET  U) 

(X  (II-U-SET  L))) 

(»  (JOII  X  T  L) 

(joii  r  i  l)))) 

(LEXHA 

(FOIALL  ((L  LATTICE) 

(Z  (II-U-SET  L)) 

(X  (II-U-SET  L)) 

(T  (II-U-SET  L))) 

C«  (HEET  (MEET  X  Y  L)  Z  L) 
(MEET  Z  (MEET  I  Y  L)  L)))) 

(LEMMA 

(FORALL  (CL  LATTICE) 

CZ  (II-U-SET  L)) 

(I  (II-O-SET  L)) 

(Y  (II-U-SET  L))) 

(•  (JOII  (JOII  Z  Y  L)  Z  L> 
(JOII  Z  (JOII  X  Y  L)  L)))) 

(LEMMA 

(FL8ALL  C  CL  LATTICE) 

(X  (II-O-SET  L)) 

(T  (II-U-SET  L)> 

(Z  (II-O-SET  L))) 

(»  (MEET  I  (HEET  Y  Z  L)  L) 
(MEET  (HEET  X  T  L)  Z  L)))) 

(LEMMA 

(FORALL  (CL  LATTICE) 

(I  (II-O-SET  L>) 

(Y  (II-U-SET  L)) 

(Z  (II-O-SET  L))) 

(«  (JOII  I  (JOII  Y  Z  L)  L) 
(JOII  (JOII  X  Y  L)  Z  L)))) 


(II-COITEXT  ((LET-BE  L  LATTICE) 

(LET-BE  I  (II-O-SET  U) 

(LET-BE  T  (II-O-SET  L))> 

(I0TE  (*  (MEET  I  Y  L) 

(MEET  Y  X  L>)> 

(I0TE  («  (JOII  I  Y  L) 

(JOII  TIL))) 

(II-COITEXT  ((LET-BE  Z  (II-U-SET  L>)> 
(II-COITEXT  ((LET-BE  MIT  (MEET  I  Y  L>)) 
(IOTE  (>  (MEET  MXY  Z  L> 

(MEET  Z  MIY  L)))) 

(II-COITEXT  ((LET-BE  JXY  (JOII  I  Y  L))> 
(IOTE  (=  (JOII  JXY  Z  L) 

(JOII  Z  JIY  L)))) 

(IOTE  (»  (MEET  X  (HEET  I  2  L)  L) 

(KEET  (HEET  X  T  L)  Z  L))) 

(IOTE  (»  (JOII  X  (JOII  Y  Z  L)  L) 

(JOII  (JOII  X  Y  L)  Z  L))>)) 
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A. 7  Bounded,  Distributive  and  Complemented 
Lattices 


A  bounded  lattice  is  a  lattice  with  a  greatest  and  a  least  member  where 
the  greatest  member  is  distinct  from  the  least  member  (singleton  lattices  are 
ruled  out).  If  £  is  a  bounded  lattice  and  z  and  y  are  elements  of  L  we  say 
that  x  and  y  are  complements  if  their  meet  is  the  least  member  of  L  and 
there  join  is  the  greatest  member  of  L.  A  complemented  lattice  is  a  bounded 
lattice  in  which  every  element  has  at  least  one  complement. 

A  distributive  lattice  is  lattice  in  which  meet  distribu*es  over  join  and 
vice  versa.  In  a  bounded  distributive  lattice  every  element-  has  at  most  one 
complement.  A  Boolean  lattice  is  a  complemented  distributive  lattice.  We 
prove  deMorgan’s  laws  for  Boolean  lattices  and  establish  several  distinct 
characterizations  of  the  lattice  order  relation. 


We  also  show  that  every  power  set  lattice  is  a  Boolean  lattice. 

(defttpe  bourded-lattice 
(LAMBDA  (CL  LATTICE)) 

(4*0 

(EHSTS-S0HE 

(G1EATEST-KEHBER-0F  (0-SET  L)  L )) 

(EIISTS-SOKE 

(LEASTMEMBER-QF  (O-SET  L)  L) ) 

(I0T 

(»  (THE  (G1EATEST-HEHBER-0F  (U-SET  L)  L)) 

(TSE  (LEAST-HEHBER-OF  (U-SET  L)  I))))))) 


(LEMMA  (IB-COITEXT  ((LET-BE  L  LATTICE) 

(FQRALL  ((L  LATTICE))  (LET-BE  S  (U-SET  L))) 

(AT-HQST-OIE  (I0TE  (AT-MOST-QIE  (GREATE5T-MEHBER-0F  5  L») 

(GREATEST -KEMBER-OF  (U-SET  L)  L))>)  (10TE  (AT-HOST-OIE  (LEAST-HEMBER-OF  S  L>>)> 

(LEMMA 

(FORALL  ((L  LATTICE)) 

(AT-H0ST-0RE 

(LEAST-REMBER-OF  (O-SET  L)  L) ) ) ) 


(DEFTER*  (TOP  (L  BOUIDED-LATtTCE) ) 

(THE  (GREATEST-ICEHBER-OF  (U-SET  L)  L)>) 

(DEFTER*  (BOTTOM  (L  BUOIDED-UTTICE) ) 

(TEE  (LEAST-KEMBER-OF  (U-SET  L)  L))) 


s' V'V,  V"  S' N.'-V',’" 


-  "VAA 


V  V  j 


NA 


r  ■' 
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(l  EMMA 

(FORALL  <a  POWER-LATTICE) ) 

(I0T  (»  (FARILY-U1IOI  (U-SET  L)) 
THE-EHPTY-SET) ) ) ) 

(LEMMA 

(FORALL  <(L  POWER-LATTICE)) 

(IS  L  BOUSDED-LATTICE))) 

(LEMMA 

(FORALL  ((L  POWER-LATTICE)) 

(*  (TOP  L) 

(FAMILY-UIIOI  (U-SET  L>)))) 

(LEMMA 

(FORALL  ((L  POWER-LATTICE) ) 

(»  (BOTTOM  L)  THE-EMPTY-Sn))) 


(Il-COITEIT 

((LET-BE  L  POWER-LATTICE) 
(LET-BE  F  (U-SET  L)) 

(LET-BE  T  (FAMILY-UIIOR  F)) 
(LET-BE  BOT  THE-EHTTY-SET) 
(LET-BE  I  CH-U-SET  L))) 
(I0TE  (HOT  (»  T  BOT))) 

CSOTE  (IS  L  BQU1DED-LATTICE) ) 
(TOTE  (=  (TOP  L)  T)) 

(MOTE  (■  (BOTTOM  L)  EOT))) 


a",  v,  w-t  *— (  i 


r.  V.;  v\_  w~  .  ’  #  V  a  <* 


*">-  “%  “L.  «r\  ■»-„  ^ 
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(LEMMA 

(F0R1LL  (CL  BOUIDED-LATTICE)) 
(IS  (TOP  L) 

(II-U-SET  L)))) 

(LEMM1 

(FORALL  ((L  BOUSDED-LATTICE) 

(I  (II-U-SET  Lj)) 

(IS  X 

(LESS-OR-EQUAL-TO  (TOP  L) 
L)))) 

(LEMMA 

(FORALL  ((L  BOUIDED-LATTICE) 

(I  (II-U-SET  L))) 

(*  I 

(MEET  X  (TOP  L)  L> J ) 1 

(LEMMA 

(FORALL  ((L  BOUIDED-LATTICE) 

(I  (II-U-SET  L))) 

(•  (TOP  L) 

OOII  I  (TOP  L)  L)))) 

(LEMMA 

(FORALL  ((L  BOUIDED-LATTICE)) 
(IS  (BOTTOM  L) 

(II-U-SET  L)))) 

(LEMMA 

(FORALL  ((L  BOUIDED-LATTICE) 

(I  (II-U-SET  !.))) 

(IS  X 

(GREATER-OR-EQUAL-TO 
(BOTTOM  L5 
L)))) 

(LEMMA 

(FORALL  ((L  BOUIDED-LATTICE) 

(X  (II-U-SET  L)>) 

O  I 

(JOII  X  (BOTTOM  L)  L)))) 

(LEMMA 

(FORALL  (CL  BOUIDED-LATTICE) 

(I  (II-U-SET  L))) 

(■  (BOTTOM  L) 

(MEET  X  (BOTTOM  L)  L)))) 


(II-COITEXT  ((LET-BE  L  BOUIDED-LATTICE) 
(LET-BE  X  (ll-U-SET  L>) 

(LET-BE  S  (U-SET  U)) 

(H-COITEIT  ((LET-BE  T  (TOP  L))) 

(IOTE  (IS  T  (II-U-SET  L))) 

IIOTE  (IS  I  (LESS-OR 'EQUAL-TO  T  L))) 
(BOTE  (=  X  (MEET  X  T  L))) 

(SOLE  (*  T  (JOII  I  T  L)))) 

(II-COITEXT  ((LET-BE  F  (BOTTOM  L))) 

(IOTE  (IS  F  (II-U-SET  L))) 

(IOTE  (IS  I  (GREATER-OR-EQUAL-TO  Ft))) 
(IOTE  (=  X  (JOII  X  F  L))) 

(IOTE  (-  F  (MEET  X  F  L))))) 


(DEFTYPE  DISTRIBUTIVE-LATTICE 
(LAMBDA  ((L  LATTICE)) 

(FORALL  (<X  (II-U-SET  L)) 

(T  (II-U-SET  L)) 

(Z  (II-U-SET  L))) 

(AID  (-  (JOII  X  (MEET  Y  Z  L)  L) 

(MEET  (JOII  I  Y  L)  (JOII  X  7.  L)  L)5 
<-  (MEET  X  (JOII  Y  Z  L)  L) 

(JOII  (MEET  I  Y  L)  (MEET  I  Z  L)  L)))))) 
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(LEMMA 

(FORALL  (  (L  POWER-LATTICE) 

(SI  (II-U-SET  L)) 

(S2  (II-U-SET  L) ) 

(S3  (II-U-SET  L) > J 
(-  (JOII  SI  (MEET  S2  S3  L)  L) 
(UIIOI 
Si 

(IITERSECTIOI  S2  S3))))) 

(LEMMA 

(FORALL  ((L  POWER-LATTICE) 

(SI  (II-U-SET  L)) 

(SI  (II-U-SET  L)) 

(S3  (II-U-3ET  L) ) ) 

(«  (MEET  (JOII  SI  S2  L) 

(JOII  SI  S3  L) 

L) 

(1ITERSECTIOI 
(UIIOI  SI  32) 

(UIIOI  Si  S3))))) 

(LEMMA 

(FORALL  ((L  POWER-LATTICE) 

(31  (II-U-SET  L)) 

(S2  (II-U-SET  D) 

(S3  (II-U-SET  L))) 

(■  (MEET  SI  (JOII  S2  S3  L)  L) 
(IITERSECTIOI  SI  (UIIOI  S2 

S3))))) 


(II-COITEXT  ((LET-BE  L  POWER-LATTICE) 

(LET-BE  SI  (II-U-SET  D) 

(LET-BE  S2  (II-U-SET  L)) 

(LET-BE  S3  (II-U-SET  L))) 

(II-COITEXT  ((LET-BE  M23  (MEET  S2  S3  L) ) ) 
(IOTE  (-  (JOII  SI  M23  L) 

(UIIOI  SI  (IITERSECTIOI  S2  S3))))) 


(II-COITEXT  ((LET-BE  J12  (JOII  SI  S2  D) 
(LET-BE  J13  (JQII  SI  S3  L) ) ) 
(IOTE  (-  (MEET  J12  J13  L> 

(IITERSECTIOI  (UIIOI  SI  S2) 

(UIIOI  SI  S3))))) 


(II-COITEXT  ((LET-BE  J23  (JQII  Si  S3  L))) 
(IOTE  (■  (MEET  SI  J23  L) 

(IITERSECTIOI  SI  (UIIOI  S2  S3))))) 


(II-COITEXT  ((LET-BE  M12  (MEET  SI  S2  L) ) 
(LET-BE  H13  (MEET  SI  S3  L))) 
(IOTE  (■  (JOII  M12  Ml 3  L) 

(IITERSECTIOI  (UIIOI  SI  S2) 

(UIIOI  SI  S3))))) 


(IOTE  (IS  L  DISTRIBUTIVE-LATTICE))) 


(LEMMA 

(FORALL  (  (L  POWER-LATTICE) 

(32  (II-U-SET  L)) 

(SI  (II-U-SET  L)) 

(S3  (II-U-SET  L)>) 

(■  (JOII  (MEET  SI  32  L) 

(MEET  SI  S3  L) 

L) 

(UIIOI  (IITERSECTIOI  SI  S2) 

(IITERSECTIOI  SI  S3))))) 


(LEMMA 

(FORALL  ((L  POWER-UTTICE)) 

(IS  L  DISTRIBUTIVE-LATTICE) ) ) 
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(DEFTYPE  (COHPLEHEIT-OF  (I  (II-U-SET  L)) 

(L  BOUIDED-LATTICE)) 
(LAMBDA  C Of  (II-U-SETL))) 

(AID  (-  (MEET  IU) 

(BOTTOM  L)) 

(»  (JOII  X  Y  L) 

(TOP  L))))) 

(DEFTYPE  COMPLEMEITED-LATTICE 
(LAMBDA  ((L  BOUIDED-LATTICE)) 

(FORALL  ((X  (II-U-SET  L) )  ) 

(EIISTS-SOME 

(COHPLEHEIT-OF  X  L)>))) 


(LEMMA 

(FORALL  ((L  PO WER-L1TTICE ) 

(SI  (II-U-SETL))) 

(IS  (SET-DIFFEREICE 

(FAMILY-UIIOI  (U-SET  L)) 
SI) 

(COHPLEMEIT-OF  SI  L)  )  )  ) 


(LEMMA 

(FORALL  (<L  POVER-LATTICE)) 

(IS  L  COMPLEMEITED-LATTICE) ) ) 


( II-COITEXT 

((LET-BE  L  POWER-LATTICE) 

(LET-BE  UIIVERSE  (FAMILY-UIIOI  (U-SET  L))) 
(LET-BE  SI  (II-U-SET  L>) 

(LET-BE  S2  (SET-DIFFEREICE  UIIVERSE  SI))) 
(IOTE  (IS  S2  (COHPLEHEIT-OF  SI  L))) 

(IQTE  (IS  L  COMPLEHFITED-LATTICE))) 


(LEMMA 

(EIISTS-SOME 

(AID-TYPE  DISTRIBUTIVE-LATTICE 
BOUIDED-LATTICE))) 


(II-COITEXT  ((LET-BE  L  POWER-LATTICE) ) 
(IOTE 

(EXXSTS-SOHE 

(AID-TYPE  DISTRIBUTIVE-LATTICE 
BOUIDED-LATTICE)))) 


(LEMMA 

(FORALL  ((L  (AID-TYPE 

DISTRIBUTIVE-LATTICE 

BOUIDED-LATTICE)) 

(I  (II-U-SET  L>)) 

(AT-HOST-OIE  (COMPLEMEIT-OF  X  L)))) 


(II-COITEXT 

((LET-BE  L  (AID-TYPE  DISTRIBUTIVE-LATTICE 
BOUIDED-LATTICE)) 

(LET-BE  I  (II-U-SET  L)) 

(PUSP-GOAL  (AT-HOST-OIE  (COMPLEMEIT-OF  X  L)))) 
(II-COITEXT 
((SUPPOSE 

(EIISTS-SOME  (COHPLEHEIT-OF  XL))) 

(LET-BE  Y1  (COMPLEMEIT-OF  X  L)) 

(LET-BE  Y2  (COMPLEMEIT-OF  XL))) 
(IOTE-GOAL)) 

(IOTE-GOAL)) 


(DEFTYPE  BOOLEAI-LATTICE 

(AID-TYPE  DISTRIBUTIVE-LATTICE 
COMPLEMEITED-LATTICE)  ) 


(DEFTERM  (COMPLEMEIT 

(X  (II-U-SET  B)) 

(B  BOOLEAI-LATTICE)) 
(THE  (COMPLEMEIT-OF  X  B))> 
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APPENDIX  A.  THE  .STOAT  REPRESENTATION  THEOREM 


(LEMMA 

(EIISTS-SOKE  BOOLEAI-LATTICE) ) 


(LEMMA 

(FORALL  ((B  BOOLEAI-LATTICE) 

U  CXI-U-SET  B)) 

(Y  (II-U-SET  B))' 

(«  (COMPLEMEIT  (MEET  I  Y  B)  B) 
(JOII  (COMPLEMEBT  X  B) 
(COBPLEMEIT  Y  B) 

8)))) 

(LEMMA 

(FORALL  ((B  BOOLEAI-LATTICE) 

<1  (II-U-SET  B)) 

(Y  (II-U-SET  B))) 
(COMPLEMEIT  (JOII  X  Y  B)  B) 
(MEET  (COMPLEMEIT  X  B) 
(CQHPLEMEIT  Y  B) 

B) ))  > 


(II-COITEIT  ((LET-BE  L  POWER-LATTICE) ) 
(IOTE  (EIXSTS-SQME  BOOLEAI-LATTICE) >) 


(II-COITEXT 

((LET-BE  B  BOOLEAI-LATTICE) 

(LET-BE  X  (II-U-SET  B>> 

(LET-BE  Y  (II-U-SET  B)) 

(LET-BE  CX  (COMPLEMEIT  X  B)) 

(LET-BE  CY  (COMPLEMEIT  Y  B))) 

(II-COITEXT  ((LET-BE  H  (MEET  X  Y  B)) 

(LET-BE  J  (JOII  CX  CY  B))) 
(IOTE  (»  (COMPLEMEIT  M  B)  J)>) 

(II-COITEXT  ((LET-BE  J  (JOII  X  Y  B)) 

(LET-BE  H  (MEET  CX  CY  B) ) ) 
(IOTE  (■  (COMPLEMEIT  J  B)  H)))> 


(LEMMA 

(FORALL  ( (B  BOOLEAI-LATTICE) 
(I  (II-U-SET  B)  ) 

(Y  (II-U-SET  B)  )  ) 

(«  (MEET  X  Y  B) 

(COMPLEMEIT 

(JOII  (COMPLEMEIT  X  B) 
(COMPLEMEIT  Y  B) 
B) 

B)))) 

(LEMMA 

(FORALL  ((B  BOOLEAI-LATTICE) 
(I  (II-U-SET  B)) 

(Y  (II-U-SET  B))) 

(■  (JOII  X  Y  B) 

(COMPLEMEIT 
(MEET  (COMPLEMEIT  X  B) 
(COMPLEMEIT  Y  B) 
B) 


(II-COITEXT  ((LET-BE  B  BOOLEAI-LATTICE) 

(LET-BE  I  (II-U-SET  B) ) 

(LET-BE  Y  (II-U-SET  B))) 
(II-COITEIT  ((LET-BE  N  (MEET  I  HI) 

(LET-BE  J  (JOII  (COMPLEMEIT  X  B) 
(COMPLEMEIT  Y  B) 
B))) 

(IOTE  («  M  (COMPLEMEBT  J  B))>) 

(II-COITEXT  ((LET-BE  J  (JOII  IYB)) 

(LET-BE  M  (MEET  (COMPLEMEIT  X  B) 
(COMPLEMEIT  Y  B) 
B>)> 

(BOTE  (•  J  (COMPLEMEIT  M  B>))>) 


BOUNDED.  DISTRIBUTIVE  AND  COMPLEMENTED  LATTIC'ESm 


t 


A.  7. 


;th«  follouiag  ax*  *quiT*l*nt : 

;  (IS  X  (LESS-OR-EQUAL-TO  Y  B)) 

;  (IS  (COMPLEMEIT  Y  B) 

;  (LESS-OR-EqUiL-TO 

;  (COMPLEMEIT  I  B) 

;  B)) 

;  (■  (MEET  I  (COHPLEBEIT  Y  B)  B) 

;  (BOTTOM  B)) 

;  (  =  (JOII  (COHPLEBEIT  I  B)  IB) 

;  (TOP  B)) 

(LEHBi 

(FORALL  ((B  BO OLE A I -LATTICE} 

(I  (II-U-SET  6)3 
(Y  (II-U-SET  B) } } 

(■>  (IS  X 

(LESS-OR-EqUAL-TO  Y  B) ) 

(IS  (COMPLEMEIT  Y  B) 
(LESS-OR-EqUAL-TQ 
(COMPLEMEIT  I  B) 

B>)))) 

(LEMMA 

(FORALL  ((B  BOOLEAI-LATTICE) 

(X  (II-U-SET  B)) 

(Y  (II-U-SET  B))) 

(»>  (IS  (COMPLEMEIT  Y  B) 
(LESS-OR-EQUAL-TO 
(COMPLEMEIT  X  B) 

B)) 

(»  (MEET  X  (COMPLEMEIT  Y  B)  B) 
(BOTTOM  B))))) 

(LEMMA 

(FORALL  ((B  BOOLEAI-LATTICE) 

(X  (II-U-SET  B)) 

(Y  (II-U-SET  B))) 

(■>  (-  (MEET  X  (COMPLEMEIT  Y  B)  B) 
(BOTTOM  B>) 

(•  (JOII  (COMPLEMEIT  X  B)  Y  B) 
(TOP  B)>>)) 


I 

) 

(II-COITEXT  ((LET-BE  B  BOOLEAI-LATTICE)  J 

(LET-BE  X  (II-U-SET  B))  , 

(LET-BE  Y  (II-U-SET  B)))  i 

i 

(IB-COITEIT 

((SUPPOSE  (IS  I  (LESS-OR-EQUAL-TO  Y  B)))  i 

(PUSH-GOAL  (IS  (COMPLEMEIT  Y  B)  ] 

(LESS-OR-EQUAL-TO  ; 

(COMPLEMEIT  X  B)  , 

B))>) 

(II-COITEIT  ((LET-BE  Cl  (COMPLEMEIT  X  B)  )  ’ 

(LET-BE  CY  (COMPLEMEIT  Y  B>>)  ' 

(IOTE-GOAL) ) )  ! 

(II-COITEXT  | 

((SUPPOSE  (IS  (COMPLEMEIT  Y  D)  i 

(LESS-OR-EQUAL-TO  ‘ 

(COMPLEMEIT  X  B) 

B)) ) 

(PUSH-GOAL  (•  (MEET  X  (COMPLEMEIT  Y  B)  B) 

(BOTTOM  B))))  | 

(II-COITEXT  (  (LET-BE  Cl  (COMPLEMEIT  X  B)  ) 

(LET-BE  CY  (COMPLEMEIT  Y  B)  )  ) 

(IOTE-GOAL))) 

ai-COITEIT 

((SUPPOSE  (•  (MEET  X  (COMPLEMEIT  Y  B)  B) 

(BOTTOM  B)>) 

(PUSH-GOAL  (»  (JOII  (COMPLEMEIT  I  B)  Y  B)  j 

(TOP  B>)>>  I 

(II-COITEXT  ((LET-BE  CY  (COMPLEMEIT  Y  B>) 

(LET-BE  J 

(JOII  (COMPLEMEIT  X  B>  Y  B))) 

(IOTE-GOAL))) 

(II-COITEXT 

((SUPPOSE  (»  (JOII  (COMPLEMEIT  X  B)  Y  B) 

(TOP  B)>) 

(PUSH-GOAL  (IS  I  (LESS-OR-EQUAL-TO  Y  B)))) 

(II-COITEXT  ((LET-BE  CX  (COMPLEMEIT  X  B)) 

(LET-BE  H  (MEET  X  Y  B) ) ) 

(IOTE-GOAL)))) 


(LEMMA 

(FORALL  ((B  BOOLEAI-LATTICE) 

(Y  (II-U-SET  B) ) 

(X  (II-U-SET  B))) 

(■>  (*  (JGII  (COMPLEMEIT  I  B)  Y  B) 
(TOP  B)) 

(IS  X 

(LESS-OR-EQUAL-TO  i  B))))) 


A. A  V  8 LATTICES 
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A. 8  Sublattices 


A  lattice  subset  of  a  Boolean  lattice  is  a  subset  that  is  closed  under  the  meet 
and  join  operations  of  the  lattice.  The  poset  which  results  from  restricting  the 
order  in  L  to  lattice  subset  of  L  is  called  a  lattice  subalgebra  of  L.  We  prove 
that  a  lattice  subalgebra  of  L  is  a  lattice  with  the  same  lattice  operations  as 
L. 

A  Boolean  subset  of  Boolean  lattice  is  a  lattice  subset,  which  is  also  closed 
under  taking  complements;  from  deMorgan’s  laws  it  is  sufficient  that  the  sub¬ 
set  be  closed  under  intersection  and  complement  or  union  and  completement. 
The  poset  which  results  from  restricting  the  order  of  a  boolean  lattice  L  to 
a  Boolean  subset  of  L  is  called  a  Boolean  subalgebra  of  L.  We  prove  that  a 
Boolean  subalgebra  of  L  is  a  Boolean  lattice  with  the  same  Boolean  opera¬ 
tions  as  L. 

(DEFTTPE  (FIXITE-HEET-SUBSET-OF  (B  LATTICE)) 

(LAMBDA  ((S  (IDI-EMPTY-SUBSET-aF  (U-SET  B)))) 

(FORALL  ((X  (MEMBER- OF  S))) 

(FORALL  ((Y  (MEMBER-OF  S)  )  ) 

(IS  (MEET  I  T  B)  (MEMBER-OF  S)))))) 


(DEFTTPE  (FIIITE-JOII-SUBSET-OF  (B  LATTICE)) 
(LAMBDA  <(S  (IOI-EMPTY-SUBSKT-OF  (O-SET  B))>) 
(FORALL  ((I  (MEMBER-OF  S)}) 

(FORALL  ((T  (MEMBER-OF  S))) 

(IS  (JOII  I  Y  B)  (MEMBER-OF  S)))))) 


(DEFTYPE  (LATTICE-SUBSET-OF  (L  LATTICE)) 
(AID-TYPE  (FIIITE-MEET-SUBSET-OF  L) 

(FIIITE-JOII-SUBSET-OF  L)>) 


(LEMMA 

(FORALL  ((L  LATTICE)) 

(IS  (U-SET  L) 

(LATTICE-SUBSET-OF  L)))) 


(II-COITEXT  ( (LET-BE  L  LATTICE) 

(LET-BE  S  (U-SET  L)} 

(PUSH-GOAL 

(IS  S  (UTTICE-SUBSET-OF  L) ) ) ) 
(II-COITEXT  ((LET-BE  I  CII-U-SET  L)) 

(LET-BE  Y  (II-U-SET  L))) 
(II-COITEXT  ((LET-BE  M  (MEET  X  Y  L))) 
(I0TE  (13  H  (MEKBER-OF  S)))) 

(II-COITEXT  ((LET-BE  J  (JOII  I  Y  L))) 
(IOTE  (IS  J  (MEMBER-OF  S)))) 
(IOTE-GOAL))) 


APPEXDIX  A.  THE  STOXE  REPRESEXTATIOS  THEOREM 
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(DEFTYPE  (LATTICE-SUBALGEBRA-OF  (L  LATTICE)  > 
(VRTTABLE-AS  (RESTRICT-ORDEB  L  S) 

(S  (LATTICE-SU3SET-0F  L)))) 


(LEMMA 

(FORALL  (CL  LATTICE)) 
(EXISTS-SOME 

(LATTICE-SUBALGEBRA-OF  L)))) 


(II-CDITEIT  ((LET-BE  L  LATTICE) 

(LET-BE  S  (U-SET  L)) 

(LET-BE  L2  (RESTRICT-QRDER  L  S))) 

(BOTE 

(EIISTS-SQHE 

(LATTICE-  S'JBALGEBRA  -  OF  L)))) 


(LEMMA 

(FORALL 

((LI  LATTICE) 

(L2  (LATTICE-SUBALGEBRA-OF  Ll)>) 
(IS  (U-SCT  L2) 

(LATTICE-SUBSET-OF  LI)))) 


(II-COITEXT 

((LET-BE  LI  LATTICE) 

(LET-BE  L2  (LATTICE-SUBALGEBRA-OF  LI) ) 
(WRITE-AS  L2  (RESTRICT-ORDER  Ll  S> 

(S  (LATTICE-SUBSET-OF  Ll)))) 

(VOTE  (IS  (U-SET  L2)  (LATTICE-SUBSET-OF  Ll ))) ) 


.  >\  Sl'BLATTICES 
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(LEHHA 

(FORALL 

Cai  L1TTICE) 

(L2  (LATTICE-SUBALGEBRA-QF  LD) 
(X  (IJ-J-SET  L2))) 

(IS  I  (II-U-SET  LI)))) 

(LEMHI 

(FORALL 

((LI  LATTICE) 

(L2  (LATTICE-SUBALGEBRA-OF  LD) 
(I  (II-U-SET  L2) ) 

(Y  (II-U-SET  L2) ) ) 

(IS  (JOII  X  Y  LI) 

(LEAST-UPPER-BQUID-OF 
(HAKE-SET  X  Y) 

L2)  }  )  ) 


(LEHHA 

(FORALL 

((LI  LATTICE) 

(L2  (LATTICE-SUBALGEBRA-OF  L1)) 
(I  (II-U-SET  L2)) 

(Y  (II-U-SET  L2))) 

(TS  (HEET  X  T  LD 

(GREAT£ST-LDSER-«0UID-0F 
(HAKE-SET  X  Y) 

L2) ) ) ) 


(LEHHA 

(FORALL 

((LI  LATTICE) 

(L2  (LATTICE-SUBALGEBRA-OF  LD  )  ) 
(IS  L2  LATTICE))) 


(II-COITEXT 

( (LET-BE  LI  LATTICE) 

(LET-BE  L2  (LATTICE-SOTHLGEBRA-OF  LD) 
(LET-BE  X  (II-U-SET  L2)) 

(LET-BEY  (II-U-SET  L2)) 

(WRITE-AS  L2  (RESTRICT-QRBER  LI  S) 

(S  (LATTICE-SUBSET-OF  LD))) 

(IOTE  (IS  I  (II-U-SET  LD)) 

(I1-CQITE2T  ((LET-BE  S  (HAKE-SET  X  Y))) 
(II-COITEIT 

((LET-BE  J  (JOII  X  Y  LD) 

(PUSH-GOAL 

(IS  J  (LEAST-UPPER-BOUID-OF  S  L2))) 
(LET-BE  Z  (UPPER-BQUID-OF  S  L2))) 
(IOTE-GOAL)) 

(II-COITEXT 

((LET-BE  K  (HEET  I  T  LD) 

(PUSH-GOAL 

(IS  H  (OREATEST-LOVIER-BOUID-OF  S  L2))) 
(LET-BE  Z  (LOUER-BOUTO-OF  S  L2))) 
(IOTE-GOAL))) 

(IQTE  (IS  L2  LATTICE)) 

(II-COITEIT  ((LET-BE  J  (JOII  I  Y  LI))) 

(IOTE  (-  (JOII  X  Y  LD  (JOII  X  Y  L2)))) 

(II-COITEXT  ((LET-BE  H  (HEET  X  Y  LD)) 

(IOTE  (»  (HEET  I  Y  LD  (HEET  X  Y  L2))))) 


(LEHHA 

(FORALL 

((LI  LATTICE) 

(L2  (LATTICE-SUBALGEBRA-OF  LD) 

(x  ai-u-srr  L2) ) 

(Y  (II-U-SET  L2))) 

(*  (JOII  I  Y  Li) 

(JOII  I  T  L2)))) 


(LEHHA 

(FORALL 

((LI  LATTICE) 

(L2  (LATTICE-SUBALGEBRA-OF  LD) 
(I  (II-U-SET  L2) ) 

(Y  (II-U-SZr  L2)  ) ) 

(■  (HEET  X  Y  LD 
(HEET  I  Y  L2)))) 


a 
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APPESDIX  A.  THE  STOXE  REPRESEXTATIOX  THEOREM 


CL  EMI 
(FORALL 

C (LI  LATTICE) 

<L2  (LATTICK-SUBALGEB&A-GF  Ll)) 
(Z  (II-U-SET  L2) ) 

(I  CII-U-SET  L2)) 

(Y  CII-U-SET  L2) ) ) 

(  =  (MEET  Z  (JOII  X  Y  L2)  L2) 

(MEET  Z  C JOII  X  Y  LI)  LI)))) 

(LEMMA 

CEORALL 

( (LI  LATTICE) 

(L2  (LATTICE- SUB  ALGEBRA- OF  LI)) 
CZ  (II-U-SET  L2) ) 

(I  (II-U-SET  L2) ) 

(Y  (II-U-SET  L2) ) ) 

(>  (JOII  Z  (JOII  X  Y  L2)  L2) 

(JOII  Z  (JOII  X  Y  LI)  LI)))) 

(LEMMA 

CFORALL 

((LI  LATTICE) 

(L2  (LATTICE-SUBALGEBRA-OF  LI)) 
(I  (II-U-SET  L2)) 

(Z  (II-U-SET  L2>) 

(Y  (II-U-SET  L2))) 

C«  (MEET  (JOII  X  Y  L2) 

(JOII  Z  Y  L2) 

L2) 

(MEET  (JOII  I  Y  LI) 

(JOII  Z  Y  LI) 

LI)))) 


(II-COITEXT 

((LET-BE  LI  LATTICE) 

(LET-BE  L2  (LATTICE-SUBALGEBRA-OF  LD) 
(LET-BE  I  (II-U-SET  L2)) 

(LET-BE  Y  (II-U-SET  L2)) 

(LET-BE  Z  (II-U-SET  L2)) 

(WRITE-AS  L2  (RESTRICT-CRDER  LI  S) 

(S  (LATTICE-SUBSET-QF  LI))) 
CLET-3E  J  (JOII  I  Y  L2))) 

(I0TE  (=  (MEET  Z  (JOII  X  Y  L2)  L2) 

(MEET  Z  (JOII  I  Y  LI)  Ll))) 
(IOTE  (»  (JOII  Z  (JOII  I  Y  L2)  L2) 

(JOII  Z  (JOII  I  Y  Ll)  Ll))) 
(H-COITEXT  ((LET-BE  J2  (JOII  Z  Y  L2)>) 
(IOTE  (»  (MEET  (JOII  I  Y  L2) 

(JOII  Z  Y  L2) 

L2) 

(MEET  (JOII  I  T  Ll) 

(JOII  Z  Y  Ll) 

Ll))))) 


A. 5.  SUBLATTICES 
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(LEMMA  (II-COITETT 


(FORALL 

(CL1  L1TTICS) 

<L2  (  LATTICE- SJ8ALGEBRA-QF  Ll)) 
(Z  (II-U-SET  L2)) 

(I  (II-U-SET  L2) ) 

(Y  (II-U-SET  L2))) 

(=  (JOII  Z  (BEET  I  Y  L2)  L2) 

(JOII  Z  (MEET  X  Y  M)  Ll)))) 

(LEMHI 

(FORALL 

((Ll  LATTICE) 

(L2  (LATTICE-SUB1LGEBR1- OF  Ll)) 
(Z  (II-U-SET  L2)) 

(I  (II-U-SET  L2) ) 

(Y  (II-U-SET  L2))) 

(«  (MEET  Z  (MEET  I  Y  L2)  L2) 

(MEET  Z  (MEET  I  Y  Ll)  Ll)))) 

(LEMMA 

(FORALL 

((Ll  LATTICE) 

(L2  (LATTICE-SUB1LGEBRA-OF  Ll)> 
(X  (II-U-SET  L2)) 

(Z  (II-U-SET  L2)  ) 

(Y  (II-U-SET  L2)  )  ) 

(»  (JOII  (MEET  X  Y  L2) 

(MEET  Z  Y  L2) 

L2) 

(JOII  (MEET  X  Y  LX) 

(MEET  Z  Y  Ll) 

Ll)))) 


((LET-BE  Ll  LATTICE) 

(LET- BE  L2  (LATTICE-SUBALGE8RA-OF  Ll)) 
(LET-BE  X  (II-U-SET  L2)) 

(LET-BE  Y  (II-U-SET  L2)) 

(LET-BE  Z  (II-U-SET  L2)) 

(VRITE-AS  L2  (RESTRICT-DRDER  Ll  S) 

(S  (LATTICE-SUBSET-OF  Ll)))) 

(II-CDITEIT  ((LET-BE  M  (MEET  X  Y  L2)>) 

(IOTE  (=  (JOII  Z  (MEET  I  Y  L2)  L2) 

(JOII  Z  (MEET  I  Y  Ll)  Ll))) 

(IOTE  (»  (MEET  Z  (MEET  X  Y  L2)  L2) 

(MEET  Z  (MEET  X  Y  Ll)  Ll))) 
(II-COITEXT  ((LET-BE  M2  (MEET  Z  Y  L2))) 
(IOTE  (»  (JOII  (MEET  I  Y  L2) 

(MEET  Z  Y  L2) 

L2) 

(JOII  (MEET  I  T  Ll) 

(MEET  Z  Y  Ll) 

Ll))))) 

(II-COITEXT 

((SUPPOSE  (IS  Ll  DISTRIBUTIVE-LATTICE) ) ) 
(IOTE  (IS  L2  DISTRIBUTIVE-LATTICE)))) 


(LEMMA 

(FORALL  ((Ll  LATTICE)) 

(-> 

(IS  Ll  DISTRIBUTIVE-LATTICE) 

(FORALL 

( (L2  (LATTICE-SUBALGEBRA-OF  Ll))) 
(IS  L2  DISTRIBUTIVE-LATTICE))))} 


(DEFTYPE  (COHPLEHEJTED-SUBSET-QF  (B  BOOLEAI-LATTICE) ) 
(LAMBDA  ((S  (IOI-EMPTY-SUBSET-OF  (U-SET  B)))) 
(FORALL  ((X  (HEHBER-OF  S))) 

(IS  ( COMPLEMENT  X  B>  (MEMBER-QF  S))})> 


(DEFTYPE  (BOOLEAI-SUBSET-OF  (B  BOOLEAI-LATTICE) ) 
(AID-TYPE  (FIIITE-HEET-SUBSET-OF  B) 

(FIIITE- JOH-SUBSET-OF  B) 

(COMPLEMEI TED-SUBSET- OF  B))) 


* 
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APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(LERKA 

(FORALL  ((B  BOOLEAI-LATTICE) 

(S  (SU3SET-0F  (O-SET  B))>> 

(»> 

(IS  S 

(AID-TYPE 

(FIIITE-KEET-SUBSET-OF  B) 
(COHPLEHEITE0-SUBSET-OF  B))) 
(IS  S  (BQOLEAI'SUBSET-OF  B))))) 


(II-COITEIT  ((LET-BE  B  BOOLEAI -LATTICE) 

(LET-BE  S  (SUBSET-OF  OJ-SET  B)))) 

(II-COITEIT 
((SUPPOSE 
(IS  S 

(AID-TYPE 

(FIIITE-KELT-SUBSET-OF  B) 
(CORPLEKEITED-SUBSET-OF  B)))) 
(PUSB-GOAL  (IS  S  (BOOLEAI-SUBSET-OF  B))>) 
(II-COITEIT  ((LET-BE  I  (HEHBEH-OF  S)> 

(LET-BE  Y  (RERBfB-nr  S)  j 
(II-COITEIT  ((LET-BE  Cl  (COKPLEHEW  I  B)) 
(LET-BE  CT  (CORPLEHEIT  Y  B)  5 ) 
(I0TE  (IS  (MEET  Cl  CY  B>  (HEKBER-OF  S)))) 
(II-COITEIT  ((LET-BE  J  (JOII  I  Y  B)) 

(LET-BE  H 

(MEET  (CORPLEHEIT  I  B) 

(CORPLEHEIT  Y  B)  B))) 

(IOTE-GOAL) ) ) ) ) 


(LEHMA 

(FORALL  ((B  BOOLEAI-LATTICE) 

(S  (SUBSET-OF  (U-SET  B)))) 

(-> 

(IS  S 

(AID-TYPE 

(FIIITE-JOII-SOBSET-OF  B) 
(COHPLEKEITED-SUBSET-OF  B))) 
(IS  S  (BOOLEAI-SUBSET-OF  B))))) 


(II-COITEIT  ((LET-BE  B  BOOLEAI-LATTICE) 

(LET-BE  S  (SUBSET-OF  CJ-SET  B)>)) 

(II-COITEIT 
((SUPPOSE 
(IS  S 

(AID-TYPE  (FIIIiE-JOII-SUBSET-OF  B) 

(COMPLEHEITED-SUBSET-OF  B))() 
(PUSH-GOAL  (IS  S  (BOOLEAI-SUBSET-OF  B)))) 
.II-COITEiT  ((LET-BE  I  (HEHBEB-OF  S)) 

(LET-BE  Y  (HEHBEB-OF  S))) 
(II-COITEXT  ((LET-BE  CA  ( CORPLEHEIT  X  B)> 
(LET-BE  CY  (CORPLEHEIT  Y  B))) 
(IOTE  (IS  (JOII  Cl  CY  B)  (HEHBEB-OF  SD)) 
(II-COITEXT  ((LET-BE  H  (MEET  I  Y  B)) 

(LET-BE  J 

(JOII  (CORPLEHEIT  X  B) 

(CORPLEHEIT  Y  B)  B))) 

(IOTE-GOAL))))) 


(DEFTYPE  (BOOLEAI- SUB ALGEBBA-OF  (B  BOOLEAI-LATTICE)) 
(WITAJLE-AS  (RESTRICT-ORDER  B  S) 

(S  (BOOLEAI-SUBSET-OF  B)))) 


"E 

4 


(LEHHA 

(FORALL  ((B  BOOLEAI-LATTICE)) 
(IS  (U-SET  B) 

(BOOLEAI-SUBSET-OF  B)))) 


(II-COITEIT  ((LET-BE  B  BOOLEAI-LATTICE) 

(T  ET-BE  S  (U-SET  B)) 

(PUSH-GOAL 

(IS  S  (BOOLEAI-SUBSET-OF  B)))) 
(II-COITEIT  ((LET-BE  I  (II-U-SET  B))) 

(II-COITEIT  ((LET-BE  CX  (CORPLEHEIT  IB))) 
(IOTE  (IS  CX  (HEHBER-OF  S)))) 
(II-COITEIT  ((LET-BE  T  (II-U-SET  B))) 
(II-COITEIT  '.LET-BE  H  (MEET  I  Y  B))) 
(IOTE  (IS  H  (HEHBER-OF  S>))) 
(IQTF-GOALy )) ) 
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-A.S. 


clehxa 

(FORALL 

C (B1  BEOLEAI-LATTICE) 

(B2  (BOOLEAI-SUBALGEBRi-OF  Bl))) 
as  82  (LAI  aCE-SUBALGEBRA-OF  Bl)))) 

CLEHHA 

(FORALL 

((Bl  BGOLEAI-LATTrCE) 

(82  (BOOLEAI -SUE ALGEBRA-OF  31))) 
(IS  (TOP  Bl)  (II-U-SET  B2) ) ) > 

(LEW* 

(FORALL 

( (Bl  BOOLEAI-LATTICE) 

CB2  (BOQLEAI- SUB ALGEBRA- OF  31))) 
(IS  (BOTTOH  Bl)  (II-U-SET  B2)))) 

(LEHMA 

(FORALL 

((Bl  BOOLEAI -LATTICE) 

(B2  (BOOLEAI-SUB ALGEBRA -OF  Bl))) 
(IS  (TOP  Bl) 

(GREATEST-HEHBER-OF  (9-SET  B2> 

B2)))) 

(LEKHA 

(FORALL 

((Bl  BOOLEAI-LATTICE) 

(B2  (BOOLEAI -SUBALGEBRA -OF  Bl))) 
(IS  (BOTTOH  Bl) 

( LEAST-HERB ER-OF  (U-SET  B2)  B2>>>) 

(LEKHA 

(FORALL 

((Bl  BOOLEAI-LATTICE) 

(B2  ( BOOLEAI-SUB ALGEBRA-OF  Bl))) 
<-  (TOP  B2)  (TOP  Bl)))) 

(LEHHF. 

(FORALL 

((Bl  BOOLEAI-LATTICE) 

(B2  ( BOOLEAI-SUB ALGEBRA- OF  Bl))) 
(«  (BOTTOH  B2)  (BOTTOH  Bl)))) 

(LEKHA 

(FORALL 

((Bl  BOOLEAI-LiTICE) 

(B2  (BOOLEAI-SUB ALGEBRA-OF  Bl))) 
(IS  B2  COHPLEHEITED-LATTICE) )) 

(LEKHA 

(FORALL 

((Bl  BOOLEAI-LATTICE) 

(B2  ( BOOLE AI-SUBALGEBRA-OF  Bl)) 
(I  (II-U-SET  B2))) 

(*  (COHPLEHEIT  1  B2) 

(COHPLEHEIT  I  81)))) 


(II-COITEIT 

((LET- BE  Bl  BOOLEAI-LATTICE) 

(LET-BE  B2  (BOOLEAI- SUBALGEBRA -OF  Bl)) 
(VRITE-AS  B2  (RESTRICT-ORDER  Bl  S) 

(S  (BOOLEAI-SUBSET-QF  Bl)))) 

(I0TE  (IS  B2  (LATTICE-SUB ALGEBRA-OF  Bl))) 

( IF-COITEIT  ((LET-BE  X  (II-U-SET  B2))) 

(II-COITEXT  ((LET-BE  CX  (COHPLEHEIT  X  Bl))) 
;top  =  (join  x  cx  bl) 

(IOTE  (IS  (TOP  Bl)  (II-U-SET  B2))) 

;bottoM  *  (B>eet  x  cx  bl) 

(IOTE  (IS  (BOTTOH  Bl)  (II-U-SET  B2))))) 

(II-COITEIT  ((LET-EE  T  (TOP  Bl)) 

(LET-BE  X  (II-U-SET  B2))> 

(IOTE 
(IS  T 

(GREATEST-HEHBER-OF  (U-SET  B2)  B2 ) )  )  ) 

(II-COITEIT  ((LET-BE  F  (BOTTOH  Bl)) 

(LET-BE  X  (II-U-SET  B2>>> 

(IOTE 
(IS  F 

(LEAST-HEHBER-OF  (U-SET  B2)  B2))>) 

(II-COITEIT  (CLET-BE  T  (TOP  Bl))) 

(IOTE  (=*  (TOP  B2)  (TOP  Bl)))) 

(II-COITEIT  ((LET-BE  F  (BOTTOM  Bl))) 

(IOTE  (*  (BOTTOH  B2)  (BOTTOH  Bl)))> 

(II-COITEXT  ((LET-BE  X  (II-U-SET  B2>) 

(LET-BE  CX  (COHPLEHEIT  X  Bl))) 
(IOTE  (IS  B2  COHPLEHEITED-LATTICE)) 

(IOTE  (»  (COHPLEHEIT  X  B2) 

(COHPLEHEIT  X  Bl))))) 
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APPF.SDIX  A.  THE  STOXE  REPRESESTATIOS  THEOREM 


LATTICE  MOT  PH  ISMS  ;}:55 


A. 9  Lattice  Morphisms 


A  Boolean  homomorphism  is  a  map  between  Boolean  lattices  which  com¬ 
mutes  with  meet,  join,  and  complementation.  By  deMorgan’s  laws  it  suffices 
that  the  map  commute  with  meet  and  completentation  or  join  and  comple¬ 
mentation.  The  image  of  a  Boolean  homorphism  is  a  Boolean  subset  of  the 
range  lattice.  A  Boolean  isomorphism  is  a  bijective  Boolean  homomorphism. 

(DEFTYPE  LATTICE-HAP 
(LAMBDA  (CH  HAP)) 

(AID  (IS  (DOHAII  B)  LATTICE) 

(IS  (RAISE  H)  LATTICE)))) 

(DEFHfPE  HAP-VHICB-BESPECTS-JOII 
(LAMBDA  ((3  LATTICE-MAP)) 

(FORALL  ((X  (II-HAP-DOHAII  S)) 

(Y  ( II-P  AP-DOHAII  B))) 

(-  (APPLY-HAP  B  (JOII  X  T  (DOHAII  B>)) 

(JOII  (APPLY-HAP  B  X) 

(APPLY-HAP  B  Y) 

(RAISE  B)))))) 

(DEFTYPE  HAP-VHICH-RESPECTS-HEET 
(LAMBDA  ((B  LATTICE-HAP)) 

(FORALL  (<X  (II-RAP-DOHAII  B)) 

(Y  (II-HAP-DOHAII  H))) 

(-  (APPLY-HAP  B  (MEET  X  Y  (DOHAII  H))) 

(MEET  (APPLY-HAP  B  X) 

(APPLY-HAP  B  Y) 

(RAISE  H)))))> 

(DEFTYPE  BOOLEAI-HAP 

(LAMBDA  ((fi  LATTICE-HAP)) 

(AID  (IS  (DOHAII  B) 

BOOLEAf -LATTICE) 

(IS  (RAISE  H) 

BOOLEAI-LATTICE) ) ) } 

(DEFTYPr.  KHICH-RESPECTS-CGHPLEHEIT 
(LAMBDA  ((H  BOOLEAI-HAP)) 

(FORALL  ((I  (II-HAP-DOHAII  B))) 

(«  (APPLY-HAP  B  (COHPLEMEIT  X  (DOHAII  B))) 

(COHFLEHEIT  (APPLY-HAP  H  X) 

(RAISE  H)))))) 
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APPENDIX  A.  THE  STONE  REPRESENTATION  THEOREM 


(DEFTYPE  BOOLEAI-HOHOKOAPHISH 

(AID-TYPE  HAP-VHICH-RESPECTS-JOII 
HAP -VHICB- RESPECTS -BEET 
KAP-VHICH-RESPECTS-COKPLEKEIT)) 

(DEFTYPE  (SOOI.EAI-HOHOHORPHISH-BETVEEI 
(B1  BOOLEAI-LATTICE) 

(B2  BOOLEAI-LATTICE^) 

(LAMBDA  ( ( H  (BAP-BETWEEI  B1  B2))) 

(IS  B  BOOLEAI-HOMOBORP3ISH)) ) 

(DEFTYPE  BDOLEAI-ISOHORPHISH 
(AID-TYPE  BOOLEAI-HOHOHORPHISH 
BI JECTIOI) ) 

(DEFTYPE  (BOOLEAI-ISQHORPHISX-BETVEEI 
(Bl  BOOLEAI-LATTICE) 

(B2  BOOLEAI-LATTICE)) 

(AID-TYPE  (BOOLEAI-HOKOXORP3ISH-BETVEEI  Bl  B2) 
BI JECTIOI)) 

(DEFTYPE  (BOOLEAI-LATTICE-ISOHORPBIC-TO 
(Bl  BOOLEAI-LATTICE)) 

(LAKBDA  ((B2  BOOLEAI-LATTICE)) 

(EXISTS-SOHE 

(BOOLEAI-ISOBORPHISB-BETVEEI  Bl  32)))) 


(LEWI  A 

(EXI3TS-S0BE  LATTICE-RAP)) 


(II-COITEXT  ( (LET-BE  L  LATTICE) 

(LET-BE  I  ( IDEITITY-HAP  L))) 
(I0TE  (EXISTS-SOHE  LATTICE-HAP) ) ) 


(LEJOU 

(EIIOTS-SOHE  BOOLEA2-HAP)) 


(II-COITEXT  ((LET-BE  B  BOOLEAI-LATTICE) 

(LET-BE  I  ( IDEITITY-HAP  B))) 
(BOTE  (EXISTS-SOHE  BOOLEAI-RAP) ) ) 


A.n.  LATTICE  M  OR  PI  HSUS 


(LEMHI 

(FQR1LL  ((H  BOOLE1I-H1P) ) 
(-> 


(110 

(IS  E 

KiP-lfllCH-RESPECTS-COHPLEHEIT) 
(IS  I 

M1P-WHICH- RESPECTS -JOII) ) 


(IS  B  HIP -WHICH-RESPECTS-HEET)))) 


(LEMHI 

(F0R1LL  <(H  B00LE1I-H1P)) 


(«> 

(110 

(IS  H 

RlP-miCH-RESPECTS-COMPLEMEIT-; 
(IS  B 

H1P-HHICH-RESPECTS-HEET)  ) 


(IS  a  HlP-t/BICH-RESPECTS-JGII)))) 


(II-CQfTEXT  ( (LEI-BE  8  B0QLE1I-H1P) 
(LET-BF  B1  (D0R1II  H) ) 
(LET-BE  B2  (R1IGE  H))) 


(II-COITEIT 

((SUPPOSE 

(IS  I  H1P-WHICB-RESPECTS- JOII) ) 
(SUPPOSE 

(IS  B  HiP-WHICB-RESPECTS-COHFLEHEIT)) 
(PUSH-G01L 

(IS  H  K1P-WHICH-RESFECTS-KEET))) 
(II-COITEIT  ((LET-BE  I  (II-U-SET  BO) 
(LET-BE  Y  (II-U-SET  BOO 

(II-COITEIT 

((LET-BE  CX  (COKPLEHEIT  I  BO) 

(LET-BE  CY  (COKPLEHEIT  Y  BO) 

(LET-BE  J  (JOII  Cl  CY  Bl))) 

(IOTE  (■  (1PPLY-K1P  B  (MEET  I  Y  BO) 
(COKPLEHEIT 

(JOII  (COKPLEHEIT 

(1PPLT-H1P  8  I) 

B2) 

(COKPLEHEIT 

C1PPLY-H1P  H  Y) 

B2) 

B2) 

B2)))) 

(II-COITEIT  ((LET-BE  HI  (1PPLY-H1P  B  X)) 
(LET-BE  HY  (1PPLY-K1P  BY))) 
( I0TE-0U1L) ) ) ) 


(II-COITEIT 

((SUPPOSE 

(IS  8  H1P-VBICH-KESPECTS-HEET ) ) 
(SUPPOSE 

(IS  8  KIP- VHICH-RESPECTS -COKPLEHEIT)  ) 
(PUSH-SOIL 

(IS  H  KIP-UHICa-RESPECTS- JOII) ) ) 
(II-COITEIT  ((LET-BE  X  (II-U-SET  Bl)) 
(LET-BET  (II-U-SET  Bl))) 

(II-COITEIT 

((LET-BE  CX  (COKPLEHEIT  X  Bl)) 

(LET-BE  CY  (COKPLEHEIT  T  Bl)) 

(LET-BE  K  (KEET  CX  CY  Bl))) 

(IOTE  (-  (1PPLY-1UP  H  (JOII  X  Y  BO) 
(COKPLEHEIT 

(KEET  (COKPLEHEIT 

(1PPI.Y-H1P  H  X) 

B2) 

(COKPLEHEIT 
(1PPLY-H1P  8  Y) 

B2) 

B2) 

B2)))) 

(II-COITEIT  ((LET-BE  HI  (1PPLY-R1P  B  X)) 
(LET-BE  HY  (1PPLY-K1P  B  Y))) 
(I0TE-G01L))) ) ) 
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(LEICU 

(FORALI  (CB  BOOLEAI -LATTICE)) 
(IS  (IDEITITY-HAP  B) 

BOOLEAI- HOMOMORPHISM) ) ) 


(II-COITEIT 

( (LET-BE  B  BOOLEAI -LATTICE) 

(LET-BE  I  (IDEITITT-MAP  B)) 

(PUSH-GOAL 

(IS  I  BOOLEAI-BOHOMCRPHISM))) 

(Il-COITEIT  ((LET-BE  I  (Il-U-SkT  B)) 

(LET-BE  Y  (II-U-SET  B))) 

(II-COITEIT  ((LET-BE  Cl  (COMPLEHEIT  IB))) 
(IOTE  (IS  I  MAP-tIHICH-RESPECTS-COMPLEHEIT))) 
(II-COITEIT  ((LET-BE  3  UOII  I  Y  B))) 

(IOTE  (IS  I  MAP-WHICH-RESPECT3-J0IB) ) ) ) 
(IOTE-GOAL)) 


(LEMMA 

(FORALL  ((B  BOOLEAI-HOMOMORPHISM)) 
(IS  (IHAOE  H) 

(BOOLSAI-SUBSET-OF 
(RAIGE  H))))) 


(II-COITEIT  ((LET-BE  B  BQQLEAI-BOHOHORPBISM) 
(LET-BE  B1  (DOMAII  H)) 

(LET-BE  B2  (BAIQE  H)' 

(LET-BE  S  (IMAGE  H))) 

(II-COITEIT 

((PUSH-GOAL 

(IS  S  (BOOLEAI-SUBSET-OF  B2)))) 
v II-COITEIT 

((LET-BE  I  (HEMBER-OF  S)) 

(LET-BE  Y  (HEMBEI-OF  S)) 

(VKITE-AS  I  (APPLY-HAP  H  PRE-I) 
(PRE-X  (II-U-SET  (DOMAII  B)))) 
(IRITE-AS  Y  (APPLY-MAP  H  PRE-Y) 
(PRE-Y  (II-U-SET  (DOMAII  H)>))> 
(II-COITEIT 

((LET-BE  PH 

(MEET  PBE-I  PRE-Y  (DOMAII  H>)>) 

(IOTE 

(IS  (MEET  I  Y  BO) 

(KEHBER-OF  S>>)> 

(II-COITEIT 

((LET-BE  PC 

(COHPLEHEIT  PRE-I  (DOMAII  H)))) 

(IOTE 

(IS  (COHPLEHEIT  I  B2) 

(HEMBER-OF  S))>) 

(IOTE-GOAL)))) 


(DEFTERH  (BQOLEAI-IHAGE  (H  BOOLEAI-HOHOHORPHISM) ) 
(RESTRICT-ORDER  (RAIGE  B)  (IMAGE  B)}> 


A.9.  LATTICE  MORPHISMS 


(LEMMA 

(FORALL  ((H  B00LEAI-B0H0H0RPBISH)) 
(IS  (BOOLEAI-IHAGE  B) 

( BOOLEAI-SUB ALGEBRA -OF 
(RAIGE  8))))) 

(LEMMA 

(FORALL  (CH  BOOLEAI-HOMOHORPHISM) ) 
(IS  (BOOLEAI-IHAGE  B) 
BOOLEAI-LATTICE) )) 

(LEMMA 

(FORALL  ((H  BOOLEAI-HOMOMORPHISM) ) 
(IS  (BOOLEAI-IHAGE  B) 

(STRUCTURE -COITAIIIIG 
(IKAOE  H))))) 

(LEMMA 

(FORALL  ((H  BOOLEAI-30HOMORPHISM)) 
(»  (U-SET  (BOOLEAI-IHAGE  H)) 
(IMAGE  B)))) 


(II-COITEXT  ((LET-BE  E  BOOLEAI-HQHOMORPHISH) 
(LET-BE  B2  (RAIGE  B)) 

(LET-BE  32  (IMAGE  B)) 

(LET-BE  B3  (BOOLEAI-IHAGE  H))) 

(IOTE  (IS  B3  (BOOLEAI-SUB ALGEBRA- OF  B2))) 

(IDTE  (IS  B3  BOOLEAI-LATTICE)) 

(IOTE  (IS  B3  (STRUCTURE-COITAIIIIQ  (IMAGE  H)))) 
(IOTE  (a  (U-SET  B3)  (IMAGE  H)))) 
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I 


g 


(LEMHI 

(FORALL 

((B  BQOLEAI-HOHOHQRPHISH) 

(I  (II-U-SET  (BOOLFAI- IMAGE  B)))) 
(-  (COHPLEHEIT  I 

(booleai-image  h)) 

(COHPLEHEIT  I 

(RAISE  H))))) 

(LEMMA 

(FORALL 

((H  BOOLEA I -HOMOMORPHISM) 

(X  (II-U-SET 

(BOOLEAI-IMAGE  B))) 

(T  (II-U-SET 

(BOOLEAI-IMAGE  B)))) 

(•  (JOII  X  r 

(BOOLEAI-IMAGE  H)) 

(JOII  X  Y 

(RABGE  H))))) 


(LEMMA 

(FORALL 

((S  BOOLEAI-BOHOHORPHISM) 

(X  (II-U-3ET 

(BOOLEAI-IMAGE  B))) 

(Y  (II-U-SET 

(BOOLEAI-IMAGE  H)))> 

(»  (MEET  X  Y 

(BOOLEAI-IMAGE  B)) 

(MEET  I  Y 

(RAISE  H})))) 

(LEMMA 

(FORALL  ((H  BOOLEAI-BOHOHORPHISM) ) 

(IS  (SET! -RAISE  H  (BOOLEAI-IMAGE  H)) 
BOOLEAI -HOMOMORPHISM) ) ) 


(II-COITEXT 

(CLET-BE  3  BOOLEAI- HOMOMORPHISM) 

(LET-BE  BIMAGE  (BGOLEAI- IMAGE  H)) 

(LET-BE  82  (SET! -RABGE  B  BIMAGE))) 

(II-COITEIT  ((LET-BE  B RABGE  (RABGE  H)) 

(LET-BE  X  (II-U-SET  BIMAGE) ) 
(LET-BEY  CIB-U-SET  BIMAGE))) 
(IOTE  (-  (CGMPLEMEIT  X  BIMAGE) 

(CQMPLEHEIT  X  BRAIGE) ) ) 

(IOTE  (-  (JOII  I  Y  BIMAGE) 

(IOII  X  Y  BRAIGE))) 

(IOTE  (-  (MEET  I  Y  BIMAGE) 

(MEET  I  Y  BRAIGE)))) 

(II-COITEIT 

((PUSH-GOAL 

(IS  H3  BOOLEAI- HOMOMORPHISM) ) 
(LET-BE  BDOMAII  (DOMAII  H)) 

(LET-BE  X  (II-U-SET  BDQHAII) ) 

(LET-BE  Y  (II-U-SET  BDQHAII) ) 

(LET-BE  BX  (APPLY-HAP  H2  I)) 

(LET-BE  HY  (APPLY-HAP  H2  Y))) 
(II-COITEXT 

((LET-BE  CX  (COHPLEHEIT  X  BDOMAII) ) 
(LET-BE  HCX  (APPLY-MAP  B2  CX))) 
(IOTE 
(IS  H3 

HAP-HHICH-RESPECTS-COMPLEMEIT)  )  ) 
(IB-COITEXT 

( CLET-BE  MX  (MEET  X  Y  BDOMAII)) 
(LET-BE  HHI  (APPLY-MAP  H2  MX))) 
(IOTE 

(IS  S2  HAP-HHICH-RESPECTS-HEET)  ) ) 
(BOTE-GOAL))) 


A.  10.  FILTERS  A. YD  ULTRAFILTERS 
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A. 10  Filters  and  Ultrafilters 

A  filter  in  a  bounded  lattice  L  is  a  subset  F  of  L  which  satisfies  the  following 
conditions: 


•  F  does  not  contain  the  least  member  of  L. 

•  If  x  is  in  F  then  every  member  of  L  greater  than  x  is  in  F . 

•  If  x  and  y  are  in  L  then  the  meet  of  x  and  y  are  in  L. 


If  x  is  a  member  of  a  bounded  lattice  L  then  the  filter  generated  by  x  is 
the  set  of  all  members  of  L  greater  than  or  equal  to  x.  We  show  that  the 
filter  generated  by  x  is  a  filter  of  L. 

An  utrafilter  is  a  maximal  filter,  i.e.  an  ultrafiiter  of  L  is  a  filter  of  L 
which  is  not  a  proper  subset  of  any  other  filter  of  L.  We  show  that  the  set 
of  all  filters  of  L  ordered  under  inclusion  is  an  inductive  order  and  thus  by 
Zorn’s  lemma  every  filter  is  contained  in  some  ultrafilter.  We  also  show  that 
if  the  join  of  x  and  y  is  a  member  of  an  ultrafiiter  F  then  either  x  is  in  F  or 
y  is  in  F.  This  implies  that  if  F  is  an  ultrafiiter  in  a  Boolean  lattice  L  and 
x  is  any  member  of  L ,  either  x  or  the  complement  of  x  is  a  member  of  the 
ultrafiiter  F. 


(DKFTTPE  (FILTEA-0?  (L  BOUIDED-LATTICE)) 

(LAMBDA  ((S  <101- EMPTY -SUBSET -OF  (U-SST  L>))> 

(AID  (I0T  (IS  (BOTTOM  L)  (HEHBE1-0F  S)>) 

(FOKALL  ((X  (BEMBEA-OF  S))) 

(IS-EVEAT  (OAEATEl-OE-EOUAL-TO  X  L> 
(MSHBEA-OF  S))) 

(FORALL  ((X  (HEMBEX-OF  S))) 

(FORALL  (CY  (HEHBEA-QF  S))) 

(IS  (MEET  IU) 

(KEMBER-QF  S>))))>) 

(DEFTYPE  (IOI-BOTTOH-MEHBER-OF  (L  BOUIDED-LATTICE) ) 
(LAMBDA  ((X  (II-U-SET  L) ) ) 

(I0T  (-  X  (BOTTOM  L))))) 


(LEMMA 

(FORALL  (CL  BOUIDED-LATTICE)) 
(EXI3TS-S0ME 

(IOI-BOTTOM-HEHBER-OF  L)))) 


(II-COITEIT  ((LET-BE  L  BOUIDED-LATTICE) 
(LET-BE  T  (TOP  L>)) 


(BOTE 

(EIISTS-SOME 

(I0I-B0rr0M-MEHBEB-0F  L))>) 


jiittiidiiiHiiiiiiiiiiiiiiii 


v  *,.*  v  ’  r',’ 
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(DEFTERH  ( F I LTER  -  G EIEAATED- BY 

(X  (10I-BOTTQH-HQIBER-OF  L)) 
(L  BOUIDED-LATTICE) ) 
(TBE-SET-OF-ALL 

(GREATER-OR-EQUAL-TO  I  L)» 


(LENKA 

(FORALL 

<(L  BOUIDED-LATTICE) 

(X  (IQI-BOTTOH'MEHBER-OF  L))) 
(IS  (FILTER-GEIERATED-BY  I  L) 
(FILTER-QF  L) ) ) ) 


(II-COITEXT  (CLBT-BE  BOT  (BOTTOM  L))) 

(IOTE 

(EOT 

(IS  (BOTTOM  L)  (HEHBER-OF  F))))) 
(II-COITEXT 

((LET- BE  V  (HEHBER-OF  F)) 

(LET -BE  2  (GREATER-OR-EQUAL-TO  T  1))) 
(IOTE  (FORALL  ((Y  (HEHBER-OF  F',)) 
(IS-EVERY 

(GREATER-OR-EQUAL-TO  Y  L) 
(HEHBER-OF  F))))) 

(II-COITEXT  ((LET-BE  T  (HEHBER-OF  F)) 
(LET-BE  Z  (HEHBER-OF  F)) 
(LET-BE  H  (MEET  I  I  O)) 

(IOTE  (FORALL  ((Y  (HEHBER-OF  F>) 

(Z  (HEHBER-OF  F))) 

(IS  (HKET  Y  Z  L) 

(HEHBER-OF  F))))) 


(II-COITEXT 

((LET-BE  L  BOUIDED-LATTICE) 

(LET-BE  I  (IBI-BOTTON-HEHBER-OF  L) ) 
(LET-BE  F  (FILTER-GEIERATED-BY  X  L)) 
(PUSB-GOAL  (IS  F  (FILTER-OF  L)))) 

(II-COITEXT  ((LET-BE  S  (U-SET  L)> 

(LET-BE  Y  (HEHBER-OF  F))) 

(IOTE 

(IS  F  (IDI-EHPTY-SUBSET-OF  (U-SET  L))))> 


(IQTE-GOAL)) 


(LEMMA 

(FORALL  ((L  BOUIDED-LATTICE) 
(F  (FILTER-OF  L))) 
(IS  (TOP  L) 

(HEHBER-OF  F)))) 


(II-COITEXT 

((LET-BE  L  BOUIDED-LATTICE) 

(LET-BE  F  (FILTER-OF  D) 

(PUSH-GOAL 

(IS  (TOP  L)  (HEHBER-OF  F>>)) 

(II-COITEXT  ((LET-BE  X  (HEHBER-OF  F)) 
(LET-BE  T  (TOP  L))) 
(IOTE-OOAL))) 


(LEMMA 

(FORALL  ((B  BOOLEAI-LATTICE) 
(F  (FILTER-OF  B)) 

(X  (HEHBER-OF  F))) 
(IOT  (IS  (CQHPLEXEIT  I  B) 
(HEHBER-OF  F))))) 


(II-COITEXT  ((LET-BE  B  BOOLEAI-LATTICE) 
(LET-BE  F  (FILTER-OF  B)) 
(LET-BE  X  (HEHBER-OF  F)) 
(LET-BE  Cl  (COKPLEKEIT  I!))) 
(IOTE  (IOT  (IS  CX  (HEHBER-OF  B))))) 
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(DEFTYPE  (ULTRAFILTER-OF  (L  BOUIDED-LATTICE)) 
(HAXIMAL-ELEMEIT-OF 
(IICLUSIOI-QRDEa 

(TBE-SET-OF-ALL  (FILTER-OF  L))))) 


(LEMMA 

(FORALL  ((L  BOUIDED-LATTICE) 

(F  (ULTRAFILTER-OF  L))) 
(IS  F  (FILTER-OF  L)))) 


(LEMMA 

(FOR1LL  ( (L  BOUIDED-LATTICE) 

<F  (ULTRAFILTER-OF  L))) 

(ROT 

(EIISTS-SOME 
. (AID-TYPE 

(FILTER-OF  L> 

( PROPER- SUPERSET- OF  F))>))) 


(II-COITEXT  ((LET-BE  L  BOUIDED-LATTICE) 
(PUSH-GOAL 

(IS-EVERY  (ULTRAFILTER-OF  L) 
(FILTER-OF  L)))) 

(II-COITEXT 

((SUPPOSE 

(EXISTS-SOME  (ULTRAFILTER-OF  L))) 
(LET-BE  F  (ULTRAFILTER-OF  L>> 

(LET-BE  FILTER-SET 

(THE-SET-OF-ALL  (FILTER-OF  L) > 5 
(LET-BE  FILTER-POSET 

(IICLUSIOI-ORDER  FILTER-SET))) 
(1QTE-QOAL) ) 

(IOTE-GOAL) ) 


(II-COITEXT 

( (LET-BE  L  BOUIDED-LATTICE) 

(PUSH-GOAL 

(FORALL  ((F  (ULTRAFILTER-OF  L))) 

(IOT 

(EXISTS-SOME 

(AID-TYPE 

(FILTER-OF  L) 

(PROPER-SUPERSET-OF  F))))>)) 


(II-COITEXT 

((SUPPOSE 

CFXISTS-SOHE  (ULTRAFILTER-OF  L))) 
(LET-BE  F  (ULTRAFILTER-OF  L))) 
(II-COITETr 
((SUPPOSE 

(EXISTS-SOME 

(AID-TYPE 

(FILTER-OF  L) 
(PROPER-SUPERSET-OF  F)))) 
(LET-BE  F2 

(AID-TTPE  (FILTER-OF  l) 

(PROPER-SUPERSET-OF  F))) 
(LET-BE  FILTER-SET 

(THE-3ET-0F-ALL  (FILTER-OF  L))> 
(LET-BE  FILTER-POSET 
(IICLUSIOI-ORDER  FILTER-SET))) 
(IOTE-COITR1DICTIOI)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 


'■A 


•r,  <r. 
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APPESDIX  A.  THE  STOXE  REPRESEXTA TIOX  THEOREM 


(LEffiU 

(F0B1LL  ((L  aC’JIDEB-LATTICE) ) 

(IS  (THE-SET-OF-tIX  (FILTEE-OF  L>) 
F1HILY-0F-SETS))) 


(II-COITEXT 

((LET-BE  L  BOU1DED-UTTI CE) 

(LET-BE  F 

(TBE-SET-OF-ALL  (FILTER-OF  L) ) ) 
(LET-BE  S  (HEHBER-OF  F)>> 

(IOTE  (IS  F  FUtILT-BF-SETS))) 
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We  now  come  to  the  proof  that  every  filter  is  contained  in  some  ultrafilter. 
The  following  natural  argument  is  taken  from  [Bell  &c  Machover  77]  page  136. 


Let  F  be  the  set  of  all  filters  in  a  Boolean  algebra  B\  F  can  be 
partially  ordered  by  inclusion.  We  will  show  that,  with  respect 
to  this  ordering,  chains  in  F  have  upper  bounds  in  F. 

Let  T  be  a  chain  in  F,  and  let  C  —  UT.  If  x,y  6  C,  then 
for  some  D,  E  E  T,  x  £  D  and  y  £  E.  Since  T  is  a  chain,  either 
D  C  E  or  E  C  D;  suppose  the  latter  case  obtains.  Then  x,y  £  D 
and  because  D  is  a  filter  we  have  x  A  y  £  D  C  C.  li  z  £  D  and 
x  <  z  then  ipso  facto  z  6  D  C  C.  Since  0  £  D  for  all  D  £  T, 
it  follows  that  0  &  C.  Therefore  C  is  a  filter  and  is  the  required 
upper  bound  for  T  in  F. 

We  may  accordingly  invoke  Zorn’s  Lemma  to  conclude  that, 
for  every  filter  D  in  B,  F  contains  a  maximal  member,  i.e.  an 
ultrafilter,  which  includes  D. 


A  comparison  of  the  above  English  proof  with  the  Ontic  proof  given  below 
yields  a  predicater  count  loss  factor  of  1.3  and  a  word  count  loss  factor  of 
1.2. 
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(LEMMA 

(FORALL  (CL  BOUIDED-LATTICE) ) 
(IS  (IICLUSIOI-CSDER 
(TSE-SET-DF-ALL 
(FILTER- OF  L)  )  ) 
IIDUCTIVE-ORDER) ) ) 


(II-COITEXT  (CLET-BE  C  (CHAII-II  FILTER-POSET))) 

(II-COITEXT  (CLET-BE  3  OtEHBER-OF  C))) 

(I0TE  (IS  C  FAMILT-OF-SETS))) 

(Il-CCITEIT 

C (PUSH-GOAL 
(EZISTS-SQME 

( UPPER- BQUID- OF  C  FILTER-POSET))) 
(LET-BS  UC  (FAHILY-V1IDI  C))) 

(II-COITEIT 

((PUSS-COAL  (IS  UC  (FILTER-OF  L>)>) 

(II-COITEIT  ((L2T-BE  USET  (U-SET  L)) 

(LET-BK  S  (KEHBER-OF  C)  )  ) 

(BOTE 

(IS  UC  (IOI-EHPTT-SUBSET-OF  USET)))) 
(II-COITEIT 

(CLET-BE  BOT  (BOTTOM  L)) 

(SUPPOSE  (IS  BOT  (MEHBER-OF  UC))) 
(WRITE- AS  BOT  (MEHBER-OF  S) 

(S  (HEH&ER-OF  C)>» 

( lOTE-COITRADICTIOl)  ) 

(II-COITEIT 

({PUSH-GOAL 

(FORALL  ((I  (MEHBER-OF  UC))) 
(IS-ETERT 

(GREATER-OR-EQUAL-TO  X  L) 
(MEHBER-OF  OC)))) 

(LET-BE  I  (HEKBER-QF  OC)) 

(LET-BE  T  (GRKATFR-OR-EQDAL-TQ  ID)) 
(II-COITEIT  ( (WRITE-AS  I  (MEHBER-OF  S) 

(S  (MEHBER-OF  C)))) 

(IOTE-GOAL))) 


(II-COITEIT 

((LET-BE  L  BOUIDED- LATTICE) 

(LET-BE  FILTER-FA1IILT 

(TEE-SET-OF-ALL  (FILTER-OF  L))) 

CLET-BE  FILTER-POSET 

(IICLUSIOI-ORDFR  FILTER-FAMILY)) 

(PUSH-GOAL  (IS  FILTER-POSET  IIDUCTIVE-ORDER))  ) 


i  co&turavd  ob  c«zt  p*g* 
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cii-coiteit 

((PUSH-GOAL 

(FORALL  ((I  (KEHBER-OF  UC)) 

(Y  (KEHBER-OF  DC>>) 

(IS  (MEET  IIL)  (HEKBER-OF  UC>)>) 
(LET-BE  I  (HEHBEJt-QF  UC)) 

(LET-BE  Y  (REH8ER-0F  UC)) 

(LET-BE  H  (MEET  I  Y  L))) 

(II-COITEIT 

((PUSH-GOAL  (IS  H  (MEKBEE-OF  UC))) 
(WRITE-AS  X  (MEKBEE-OF  SI) 

(SI  (KEHBER-OF  C))) 

(HEITE-AS  Y  (MEKBEE-OF  S2) 

(S2  (HEHBEE-OF  C)))) 

Oi-corrEXT 

{(SUPPOSE  (IS  SI  (SUBSET-OF  S2)))) 
(IOTE-GQAL)) 

(■OTE-GOAL)) 

(IOTE-GQAL) ) 


(IOTE-GOIL)) 

(II-COITEIT  ((LET-BE  S  (HEKBER-OF  C)>) 
(VOTE 
(IS  UC 

(UPPEI-BOUID-OF  C  FILTER-  POSET)  )  )  ) 
(I0TE-G0AL) ) 

(IOTE-GQAL))) 


(LEMMA 

(FORALL  ((L  BQUIDED-LATTICK) 
(F  (FILTEI-OF  L))) 
(EXISTS-SOKE 
UID-TTPE 

(  ULTBAF I LTEI- OF  L) 

( SUPERSET- OF  F))))) 


(II-COITEIT 

((LET-BE  L  BOUIDED-LATTICE) 

(LET-BE  F  (FILTER-OF  D) 

(PUSH-GOAL 

(EXISTS-SOKE 

(AID-TYPE  (ULTBAFILTEK-OF  L) 
(SUPERSET-OF  F))>)) 

(h-coitext 

{(LET-BE  FILTEB-SET 

(TKE-SET-OF-ALL  (FILTEB-OF  L))) 

(LET-BE  FILTEB- POSET 

(IICLUSIOI-ORDER  FILTEB-SET 1) 

(LET-BE  F2 
(AID-TYPE 

(KAXIMAL-nJEKEIT-OF  FILTEB-POSET) 
(GBEATEB-OB-EDUAL-TO  F  FILTEB-POSET)))) 
(I0TE-G0AL) )) 


(DEFTYPE  (ULT1AFILTEE-COITA I IIIS 
(X  (II-U-SET  L)) 

(L  BOUIDED- LATTICE) ) 
(LAMBDA  ((F  (GLTBA FILTEB-OF  L))) 
(IS  X  (KEHBER-OF  F>))} 


- 1  .  _  .  . 

.  V* H  «T*  Hi*.  *i*  H* 
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(FORALL 

C (L  B0UIDED-LAT7ICE) 

<1  (lOI-BOTTQH-MUIBER-OF  l))) 
(EXISTS-SOME 

(ULTRlFILTE.-i-COWTlIIIIO  1  D))) 


(II-CQITEX’" 

(  (LET-BE  L  BOUIDED-UTTICE) 

(LET-BE  I  (IOI-BOTT3H-HEMBER-OF  L>) 
(PUSH-GOAL 
(EIISTS-SOKE 

(UL1RAFILTER-CGITAIIIIG  1  L)))) 
(II-COITEXT 

((LET-LE  01  (FILTER-GEIERATED-BY  I  L)  ) 
(LET-BE  02  (AID-TYPE  (ULTRAFILTER-OF  L) 
(SUPSRSET-OF  Gl)))) 

(IOTE-OQAL))) 


(FDRALL  ((B  200LEAI-LATT ICE) 

(X  (II-U-SET  B)) 

(Y  (II-U-SET  B))) 

(-> 

(KOT  (IS  X  (LESS -0R-E9UAL-TQ  Y  B))) 
(EIISTS-SOKE 

((F  (ULTRAFILTER-COITAIIIIG  X 

B))) 

(IOT  (IS  Y  (KEHBER-OF  F))))))) 


(II-COITEXT 

((LET-BE  B  BOOLEAI-LATTICE) 

(LET -BE  X  (II-U-SET  B)) 

(LET-BE  Y  (II-U-SET  B)) 

(SUPPOSE 

(IOT  (IS  X  (LESS-OR-EQUAL-TO  Y  B)))) 
(PUS--SOAL 

(EXISTS  ((F  (ULTRAFILTER-COITAIIIIG  IB))) 
)  (IOT  (IS  Y  (HEHBER-OF  F)))))) 

(IF-COITEXT 

( (LET-BS  CY  (COMPLEHEIT  Y  B)  > 

(LET-BE  H  (MEET  X  CY  B)) 

(LET-BE  F  (ULTRAFILTER-COITAIIIIG  MB))) 
(IOTE-  GOAL))) 
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ft 
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L>. 


We  now  come  „o  the  proof  that  if  F  is  an  ultrafilter  and  if  xVy  E  F  then  x  £  F 
or  y  £  F.  The  following  natural  argument  is  taken  from  [Bell  &  Machover  77] 
top  of  page  136.  case  (iii)=>(iv). 


Suppose  F  is  an  ultrafilter  of  a  bounded  distributive  lattice  L 
and  that  x  V  y  £  F.  To  show  that  x  £  F  or  y  £  F  suppose  that 
x  F.  It  is  easy  to  see  that  {z  ;  iV:  6  F}  isa  filter  which 
includes  F,  and  so,  since  F  is  an  ultrafilter,  F  =  G.  But  since 
x  V  y  E  F  it  follows  that  y  E  G  and  hence  y  E  F. 


A  comparison  of  the  above  nat  ural  argument  with  the  Ontic  proof  yields  a 
predicate  count  loss  factor  of  2.1  and  a  word  count  loss  factor  of  2.7. 
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(LEMMA 

(FORALL 

(CL  (AID-TYPE 

DISTRIBUTIVE-LATTICE 
BOUIDED-LATTICE) ) 

(F  (ULTRAF1LTER-0F  L) ) 

(I  (II-U-SET  L)) 

(Y  (II-U-SET  L3)) 

(*>  (IS  (JOII  I  Y  L) 

(BEBBER-OF  F)) 

COR  (IS  I  (BEMBER-OF  F)) 

(IS  Y  (BEBBER-OF  F)))))) 


(II-COITEIT 
( (LET-BE  S 

(THE-SET-OF-ALL  (Z  (II-U-SET  L)) 

(IS  (JOII  IU)  (HEBBER-OF  F))))) 
; clearly  y  ii  in  g 
(II-COITEIT  ((PUSH-GOAL  (■  F  G))> 

;thia  will  complete  the  proof  that 
;y  i»  in  f 

(II-COITEIT 

((PUSH-COIL  (IS  G  (SUPERSET-DF  F))) 
(LET-BE  Z  (BEMBER-OF  F)> 

(LET-BE  J  (JOII  XU))) 
(IQTE-GOAL)) 

(II-COITEIT 

((PUSH-GOAL  (IS  G  (FILTER-OF  L)) )) 
;ainca  f  is  a  uxiatl  filter  thia 
;coaplataa  tha  proof 
(II-COITEIT 

((PUSH-GOAL 
(IS  0 

(IOI-EHPTY-SUBSET-OF 
(U-SET  L>))) 

(LET-BE  S  (U-SET  L)) 

(LET-BE  Z  (MEBBER-OF  0))) 
(IOTE-GOAL)) 

(II-COITEIT  ((LET-BS  BOT  (BOTTOM  L))> 
(IOTE 

(IOT  (IS  (BOTTOM  L) 

(MEBBER-OF  G))))) 


(II-COITEIT 

((LET-BE  L  (AID-TYPE 

DISTRIBUTIVE-LiTTICE 
BOUIDED-L ATTICS)) 

(LET-BE  F  (ULTRAFILTER-OF  L)) 

(LET-BE  I  (II-U-SET  L)) 

(LET-BE  Y  (II-U-SET  L)) 

(SUPPOSE  (IS  (JOII  I  Y  L) 

(MEM3ER-0F  F))) 

(PUSH-GOAL  (OR  (IS  I  (BEBBER-OF  F)) 

(IS  Y  (BEBBER-OF  F))))) 

(II-COITEIT 

((SUPPOSE  (IOT  (IS  I  (BEBBER-OF  D))) 
(PUSH-GOAL  (IS  (BEMBER-OF  F)))) 


continued  on  nazt  page 
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;  continued  fro*  previous  page  (II-COITEXT 

( (PUSH-GOAL 

(FORALL 

(<Z1  (HEMBER-QF  G)) 

<Z2  (GREATER-QR-EQUAL-TO  ZI 
L))) 

(IS  Z2  (HEHBER-QF  G)))) 

(LET-BE  Z1  (HEHBER-QF  G)  ) 

(LET-BE  Z2 

(GREATER-OR-EQUAL-TO  Zi  L)) 
(LET-BE  J1  (JOII  X  Zi  I,)) 

(LET-BE  J2  (JOII  X  Z2  L)>) 

;j2  is  greater  or  eqnal  to  il 
(I0TE-G0AL)) 

(II-COITEXT 

((PUS3-G0AL 

(FOR1LL  ((Zi  (MEMBER-OF  G)) 

(Z2  (MEMBER-OF  G))> 

(IS  (MEET  Zi  Z2  L) 

(MEMBER-OF  0)))) 

(LET-BE  ZI  (HEHBER-OF  G)) 

(LET-BE  Z2  (MEMBER-OF  0))) 
(II-COITEXT 

((LET-BE  J1  (JOII  X  Zi  L)) 

(LET-BE  J2  (JOII  X  Z2  L))> 

(IOTE  (IS  (JOII  X  (MEET  ZI  Z2  L)  L) 
(MEHBER-OF  F))>) 

(II-COITEXT 

((LET-BE  H  (MEET  Zi  Z2  L))) 
(IOTE-OOAL))) 

(IOTE-OOAL) ) 

(IOTE -SOIL) ) 

(IOTE-OOAL))) 

(IOTE-OOAL) ) 


(LEMMA 

(FORALL  ((B  BOOLEAI-LATTICE) 

(F  (ULTRAFILTER-OF  B)) 
(I  (II-U-SET  B))) 

(OR  (IS  I  (MEMBER-OF  F)) 

(IS  (COKPLEHEIT  X  B) 
(MEMBER-OF  F))))) 


(II-COITEXT  ((LET-BE  B  BOOLEAI-LATTICE) 

(LET-BE  F  (ULTRAFILTER-OF  B)) 
(LET-BE  X  (II-U-SET  B)) 
(LET-BE  CX  (COMPLEMEIT  IB))) 
(IOTE  (OR  (IS  X  (MEMBER-OFF)) 

(IS  Cl  (MEMBER-OF  F))))) 
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A. 11  The  Stone  Representation  Theorem 


Finally  we  come  to  the  Stone  representation  theorem  for  Boolean  algebras. 
The  following  natural  definitions  and  natural  arguments  are  taken  from  [Bell 
A'  Machover  77]  pages  141  and  142. 

Let  us  define  a  field  of  sets  to  be  a  subalgebra  of  a  power  set 
algebra.  In  particular,  a  field  of  subsets  of  a  set  X  is  a  subalgebra 
of  the  power  set  of  X. 

If  B  is  a  Boolean  algebra,  we  denote  by  SB  the  set  of  all  ultrafil¬ 
ters  in  B. 

Theorem.  Each  Boolean  algebra  is  isomorphic  to  a  field  of  subsets 
of  SB. 

Proof.  Let  B  be  a  Boolean  algebra.  Define  a  mapping  u  :  B  —* 

PSB  by  putting: 

u(x)  =  {F  €  SB  :  x  €  F} 

for  each  xgF.  Thus  u(x)  is  the  set  of  all  ultrafilters  containing 
x. 

We  claim  that  u  is  a  homomorphism  of  B  into  PSB.  For 
suppose  that  x,y  £  B;  then,  if  F  €  SB,  we  have 

F  6  u(x  Fky  €  F  F  €  u(x)  fl  u(y) 

Hence  u(x  Ay)  =  u(x)  fl  u(y).  Also,  we  have 

F  e  u(x*)  <4-  x*  €  F  44  x  £  T(by  Thm.  3.5(iv))  <4-  F  €  SB—u(x) 

Accordingly  u(x*)  =  SB  —  u(x),  so  that,  by  Prob  3.3,  u  is  a 
homomorphism. 

We  also  note  that  u  is  one-one,  for  if  x  ^  y  then  by  Cor. 

3.9  there  is  an  ultrafilter  F  containing  x,  say,  but  not  y.  Then 
F  6  u(x)  and  F  £  u{y),  so  that  u(x)  ^  u(y). 

We  have  therefore  shown  that  u  is  an  isomorphism  of  B  onto 
the  subalgebra  ufi?]  of  PSB ,  which  proves  the  theorem. 
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A  comparison  of  the  above  natural  definitions  and  arguments  with  the  re¬ 
mainder  of  this  section  yields  a  predicate  count  loss  factor  of  2.0  and  a  word 
count  loss  factor  of  1.7. 


(DEFTYPE  FIELD-OF-SETS 

(WRITABLE-AS  (BOOLEAI-SUBALGEBRA-OF 
(P0WER-SET-L1TTICE  S)) 

(S  SET))) 


asm 

(EXISTS-SOHE  FIELD-OF-SETS)) 


(II-COITEXT  ((LET-BE  S  SET) 

(LET-BE  P  (POIfER- SET-LATTICE  S))) 
(I0TE  (EXISTS-SOHE  FIELD-OF-SETS) )  ) 


(LEMMA 

(FORALL  ((B  FIELD-OF-SETS) ) 
(1$  B  B00LEAI-LATTICE) ) ) 


ai-coETErr 

((LET-BE  B  FIELD-OF-SETS) 

(VRITE-AS  B  (BOOLEAI-SOBALGEBBA-OF 
(PQWER-SET-LATTICE  S)) 

(S  SET)) 

(LET-BE  B2  (POVEA-SET -LATTICE  S))) 
(VOTE  (IS  B  BOOLEAI-LATTICE)  )  ) 


(DEFTEPM  (ALL-STOIE-HODELS  (B  BOOLEAI-LATTICE)) 
(THE-SET-OF-ALL  (ULTAAF1LTEA-OF  B>)> 

(DEFTEBJ!  (THK-STOIE-HODELS-QF 
(X  (H-U-SET  B» 

(B  BOOLEAI-LATTICE) ) 

(THE-SET-OF-ALL 

(  ULTRA  FILTER -corr  AIIIIQ  X  B))) 


(LEMMA 

(FORALL  ((B  BOOLEAI-LATTICE) 

(X  (II-U-SET  B))) 

(IS  (THE-STOIE-IODELS-OF  X  B) 
(SUBSET-OF 

(ALL-STQIE-MODELS  B))))) 


(II-COITEXT 

((LET-BE  B  BOOLEAI-LATTICE) 

(LET-BE  S  (ALL-STOIK-MODtLS  B)) 
(LET-BE  X  (II-U-SET  B)> 

(LET-BE  SX  (TXE-9TOIE-NODELS-OF  X  B)) 
(PUSH-GOAL  (IS  SX  (SUBSET-OF  S)))) 
(II-COITEXT 
((SUPPOSE 

(EXISTS-SOHK  (MEMBER- OF  SX))) 
(LET-BE  F  (HEMBER-OF  SI))) 
(IOTE-GOAL)) 

(I0TE-GOA1)) 


(DEFTERM  (STOIE-NAP  (B  BOOLEAI-LATTICE)) 
(MAKE-HAF 
B 

(POWEA-SET-L1TTICE 
(ALL-STOIE-HODELS  B)> 

(THE-RULE  ((I  (II-U-SET  B)>) 
(THE-STOIE-MODELS-OF  I  B)>)> 
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(LEMMA 

(FORALL  (CB  BOOLEAI-LATTICE) ) 
(IS  (POKER-SET -LATTICE 

(ALL-STOIE-MODELS  B)) 
POKER-LATTICE))) 


(LEMMA 

(FORALL  ( (B  BOOLEAI-LATTICE) ) 

(-  (U-SET  (POKER-SET-LATTICE 

(ALL-STOIE-MODELS  B))) 
(POKER-SET 

(ALL-STOIE-MODELS  B))))) 


(II-COITEIT  ((LET-BE  B  BOOLEAI-LATTICE) 

(LET-BE  S  (ALL-STOIE-MODELS  B))) 
(IOTE  (IS  (POKER-SET-LATTICES)  POKER-LATTICE)) 
(II-OOITEXT  ((LET-BE  PS  (POKER-SET  S))) 

(IOTE  (=  (U-SET  (POKER-SET-LATTICE  S))  PS)) 
(IOTE 

(IS-EVERY 

(SUBSET-OF  S) 

(MEMBER-OF 

(U-SET 

(POKER-SET-LATTICE  S)  )))))) 


(LEMMA 

(FORALL 

((B  BOOLEAI-LATTICE) 

(S2  (SUBSET-OF 

(ALL-STOIE-MODELS  B)))) 

(IS  S2 

(MEMBER-OP 

(U-SET 

(POKER-SET-LATTICE 

(ALL-STOIE-MODELS  B)  )))))) 


m 
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(LEHHA  (II-COITEXT 


(FORALL  (<B  BOOLEAl-LATTICE) ) 

(IS  (THE-RULE  ((I  (II-U-SET  B))) 
(THE-STOIE-HCDELS-OF  I  B)) 
(RULE-BETWEEI 
(U-SET  B) 

(U-SET 

(POWER-SET-LATTICE 

(ALL-STOIE-MODELS  B))))))) 

(LEIOU 

(FORALL  ((B  BOOLEAl-LATTICE) ) 

(IS  (STOIE-HAP  B) 

(HAP-BETWEEI 

B 

(POWER-SET-LATTICE 

(ALL-STOIE-HODELS  B)))))) 

(LEHtU 

(FORALL  ((B  BOOLEAl-LATTICE)) 

(IS  (STOIE-HAP  B)  BOOLEAI-M1P))) 

(LEIOU 

(FORALL  ((B  BOOLEAl-LATTICE)) 

(«  (DOHAII  (STOIE-HAP  B)) 

B))) 

( LEMMA 

(FORALL  ((B  BOOLEAB-LATTICE)) 

(-  (RAIGE  (STOIE-HAP  B)) 
(power-set-lattice 

(ALL-STOIE-MODELS  B))))) 

(LEMMA 

(FORALL  (<B  BOOLEAl-LATTICE) 

(I  (II-U-SET  B))) 

(-  (APPLY -MAP  (STOIE-HAP  B)  X) 
(THE-STOIE-MQDELS-OF  I  B)))) 


(CLET-BE  B  BOOLEAl-LATTICE) 

(LET-BE  SB 

(POWER-SET -LATTICE  (ALL-STOIE-HODELS  B))) 
(LET-BE  B  (STOIE-MAP  B>) 

(LET-BE  R  (THE-RULE  ((I  (II-U-SET  B))) 
(THE-STOIE-HODELS-OF  IB))) 
(LET-BE  I  (II-U-SET  B))) 

(II-COITEIT  ((LET-BE  HI  (APPLY-RULE  R  I)) 
(LET-BE  USETi  (U-SET  B)> 

(LET-BE  USET2  (U-SET  SB))) 

(I0TE  (IS  R  (RULE-BETVEEB  USETI  USET2) )) ) 
(IOTE  (IS  B  (HAP-BETWEEI  B  SB))) 

(I0TE  (IS  B  BOOLEAI-KAP) ) 

(IOTE  (■  (DOHAII  B)  B)) 

(IOTE  (»  (RAIOE  I)  SB)) 

(IOTE  (»  (APPLY-HAP  H  I) 

(TBE-STOIE-HODELS-OF  I  B)))) 
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(LEMMA  (II-COITEIT 

(FORJLL  C(B  B0GLE1I-LAT7ICE) )  ((LET-BE  B  BOGLEAI-L1TTICE) 

(IS  (STOIE-MAP  B)  (LET-BE  H  (STOIE-KAP  B)) 

BOOLEAI-IOMOHORPHISM)))  (LET-BE  SB 

(POHER-SET-LATTICE 

(ili-STOIE-MQDELS  B))) 

(PUSH-OOU. 

(IS  a  BOQLEAI-HOMOMORPHISH) ) ) 

(II-COITEIT 

( (PUSH-COIL 

(IS  E  KiP-WBICH-RESPECTS-MEET) ) 

(LET-BE  X  (II-U-SET  B)) 

(LET-BE  Y  (II-U-SET  B)) 

(LET-BE  I -MODELS  (APPLY-MAP  H  X)> 

(LET-BE  T-HODELS  (APPLT-HAP  H  Y)> 

(LET-BE  I  (MEET  I  T  B» 

(LET-BE  K-HODELS  (APPLY-HAP  H  H) ) 

(LET-BE  MODEL- IITEBSECTIOI 

(UTERSECTIOI  X-BODELS  Y-MODELS))) 

(II-COITE!? 

( (PUSH -SOIL 

(»  M-KODELS  MODEL-IITERSECTIOI))) 

(II-COITEIT 

((PUSH-COIL 

(IS  MODEL-IITERSECTIOI 
(SUBSET-OF  H-HODELS)))) 

(II-COITEIT 

((SUPPOSE 

(EIISTS-SOME 

(HEMBEE-OF  HODEL-I1TEI3ECTIOI))) 
(LET-BE  r 

(HEMBEE-OF  MODEL-IITERSECTIOI))) 
(IOTE-S01L)) 

(lOTE-OOEL)) 

(II-COITEIT 

( (PUSH-SOAt 
(IS  M-HODELS 

(SUBSET-OF  HODEL- 1 ITERSECTI 0 1 ) ) ) ) 
(II-COITEIT 
((SUPPOSE 

(EIISTS-SOME 

(MEHBER-OF  M-HODELS)) ) 

(LET-BE  F  (MEHBER-OF  H-MODELS))) 
(IOTE-C01L)) 

(IOTE-GOAL)) 

(IOTE-GOAL)) 

(IOTE-SORL) ) 
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; continued  'fro*  previous  pugs  (II-COITEZT 

((PUSH-GOAL 

(IS  B  HAP-WHICH-aESPECTS-CDHPLEHETr)) 
(LET-BE  X  CIB-U-SET  B>) 

(LET-BE  BI  (APPLY-RAP  H  X)) 

(LET-BE  C  (COHPLEMEIT-OF  IB)) 

(LET-BE  C-MODELS  (APPLY-MAP  B  C)) 

(LET-BE  ILL-MODELS  (ALL-STQIE-MODELS  B) ) 
CLET-BE  MODEL -COMP LEHEIT 

(SET-DIFFEREICE  ILL-MODELS  BI))) 


(II-COITEXT 

(  (PUSH-GOAL  (»  C-MODELS  MODEL -COMPLEMEIT)  )  ) 

CII-COITEIT 

((PUSH-GOAL 

CIS  HQDEL-COHPLEHErr 

CSUBSET-OF  C-HODELS)))) 

CII-COITEXT 
( (SUPPOSE 

(EXISTS-SOME 

(REMBER-OF  HODEL-COHPLEMEIT) ) ) 
CLET-BE  F 

(MEMBEB.-OF  MODEL-COMP  LEM  EIT  )  )  ) 
CIOTE-OOIL)) 

(BOTE-GOAL)) 

CII-COITEXT 

( (PUSH- GOAL 
(IS  C-HODELS 

CSUBSET-OF  MODEL-COHPLEHEBT)))) 
CII-COITEXT 
C (SUPPOSE 

(EXISTS-SOME 

CMEHBEE-OF  C-MODELS))) 

(LET-BE  F  (HEMBER-OF  C-HODELS))) 
CIOTE-GOAL)) 

(IOTE-GQAL)) 

(IOTE-GOAU) 

CIOTE-GOAL)) 


CIOTE-QOAL)) 
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(LEWI  (II-COITEXT  ((LET-BE  B  BOQLEAI-LATTICE) 

(FORALL  ((B  BOQLEAI-LATTICE))  (LET-BE  H  (STOIE-MAP  B)> 

(IS  (STOIE-MAP  B)  I  I JECTIOI )  ) )  (TOSH-GOAL  (IS  B  IIJECTIGI))) 

(II-COITEXT 

((LET-BE  KSET  (KEHBER-OF  (IIUGE  H))) 

(LET-BE  PRE-MSET 

(PREIMAGE  B  OUXE-SET  HSET)))) 

(II-COITEXT 

((PUSH-GOAL 

(EIjlCTLY-QIE  (XEHBER-OF  PRE-MSET))) 
(LET-BE  I  (KEHBER-QF  PRE-MSET)) 

(LET-BE  Y  (MEHBER-OF  PRE-MSET))) 
(II-COITEXT 

((PUSH-GOAL 

(IS  X  (LESS-OR-EqUAL-TO  T  B)))) 
(II-COITEXT 
((SUPPOSE 

(IOT  (IS  I  (LESS-OR-EqUAL-TO  Y  B)))) 
(LET-BE  F  ( ULTRAFILTER -COITAIIIIG  X  B) 
(IOT  (IS  Y  (KEMBER-OF  F)))>) 
(IOTE-COITRADICTIOI ) ) 

(IOTETGEIERALIZE  -GOAL)  ) 

(IOTE-GOAL)) 

(IOTE-GOAL))) 


(LEMMA 

(FORALL  ((B  BOQLEAI-LATTICE)) 

(IS  ( BOOLEAI-IHAGE  (STOIE-MAP  B)) 
FIELD-OF-SETS)  )  ) 

(LEMMA 

(FORALL  ((B  BOQLEAI-LATTICE)) 

(IS  (SETi-RAME 

(STOIE-MAP  B) 

(BOOLEAI-IHAGE  (STOIE-MAP  B})) 
(BOOLEAI-ISOKORPHISM-8ETVEEI 
B 

(BOOLEAI-IHAGE 
(STOIE-MAP  B)))))) 


(II-COITEXT  ((LET-BE  B  BOOLEAI-LAITICE) 

(LET-BE  a  (STOIE-MAP  B)> 

(LET-BE  B2  (BOOLEAI-IHAGE  H))) 
(II-COITEXT  ((LET-BE  S  (ALL-STOIK-HODELS  B))) 
(IOTE  (IS  B2  FIELB-OF-SETS) ) ) 

(II-COITEXT  ((LET-BE  12  (SET! -RAIGE  I  B2))) 
(IOTE 
(IS  12 

(BOOLEAI-ISOMOAPHISM-BtTVEEI  B  B2))) 
(IOTE 

(EXISTS-SOHE 
(AID- TYPE 

FIELB-OF-SETS 

( BOOLE AI-LATTICE-ISQMORPHIC-TQ  B)))))) 


(LEMMA 

(FORALL  ((B  BOOLEAI-LATTTCE)) 
(EXISTS-SOME 
(AID-TYPE 
FIELD-OF-SETS 

(BOOLEAI-LATTICE-ISGMORPIIC- 

B)))>) 


TO 
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